• Home
  • cyber
  • Craft CMS: CISA Warns of Craft CMS Code Injection Vulnerability Exploited in Attacks
cyber Vulnerability

Craft CMS: CISA Warns of Craft CMS Code Injection Vulnerability Exploited in Attacks

Mar 20, 2026 2 min read
Craft CMS: CISA Warns of Craft CMS Code Injection Vulnerability Exploited in Attacks

Critical Craft CMS Vulnerability (CVE-2025-32432) Actively Exploited in the Wild

A severe code injection vulnerability in Craft CMS (CVE-2025-32432) has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after confirmed active exploitation. The flaw, classified under CWE-94 (Improper Control of Code Generation), allows remote, unauthenticated attackers to execute arbitrary code on vulnerable servers.

Craft CMS, a widely used enterprise content management system, is at high risk due to this vulnerability. Successful exploitation grants attackers full control over affected systems, enabling data exfiltration, website defacement, or lateral movement into internal networks. While it remains unclear whether the flaw is being used in ransomware campaigns, its potential for initial access makes it a prime target for threat actors, including state-sponsored groups and access brokers.

CISA added CVE-2025-32432 to the KEV catalog on March 20, 2026, mandating federal agencies under Binding Operational Directive (BOD) 22-01 to patch by April 3, 2026. Though the directive applies only to government entities, CISA recommends all organizations adopt the same urgency in remediation.

Unpatched Craft CMS instances exposed to the internet are highly visible targets, likely already being scanned and exploited by automated attack tools. Mitigation requires immediate patching via vendor updates, with temporary workarounds such as disabling the vulnerable component recommended if patching is delayed. Organizations are also advised to monitor web access logs for suspicious activity.

Source: https://cybersecuritynews.com/cms-code-injection-vulnerability-exploited/

Craft CMS cybersecurity rating report: https://www.rankiteo.com/company/craftcms

"id": "CRA1774268712",
"linkid": "craftcms",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'All unpatched instances',
                        'industry': 'Technology/Software',
                        'name': 'Craft CMS',
                        'type': 'Content Management System'}],
 'attack_vector': 'Remote',
 'data_breach': {'data_exfiltration': 'Potential'},
 'date_publicly_disclosed': '2026-03-20',
 'description': 'A severe code injection vulnerability in Craft CMS '
                '(CVE-2025-32432) has been added to CISA’s Known Exploited '
                'Vulnerabilities (KEV) catalog after confirmed active '
                'exploitation. The flaw allows remote, unauthenticated '
                'attackers to execute arbitrary code on vulnerable servers, '
                'enabling data exfiltration, website defacement, or lateral '
                'movement into internal networks.',
 'impact': {'brand_reputation_impact': 'Potential website defacement',
            'data_compromised': 'Potential data exfiltration',
            'operational_impact': 'Full system control by attackers',
            'systems_affected': 'Craft CMS servers'},
 'initial_access_broker': {'entry_point': 'CVE-2025-32432 (Craft CMS '
                                          'vulnerability)'},
 'investigation_status': 'Ongoing',
 'motivation': ['Data exfiltration', 'Initial access', 'Lateral movement'],
 'post_incident_analysis': {'corrective_actions': ['Patch management',
                                                   'Vulnerability scanning'],
                            'root_causes': 'Improper Control of Code '
                                           'Generation (CWE-94)'},
 'ransomware': {'data_exfiltration': 'Potential'},
 'recommendations': ['Immediate patching via vendor updates',
                     'Disable vulnerable component if patching is delayed',
                     'Monitor web access logs for suspicious activity'],
 'references': [{'source': 'CISA Known Exploited Vulnerabilities (KEV) '
                           'catalog'}],
 'regulatory_compliance': {'regulations_violated': ['Binding Operational '
                                                    'Directive (BOD) 22-01 '
                                                    '(for federal agencies)'],
                           'regulatory_notifications': ['CISA KEV catalog '
                                                        'addition (March 20, '
                                                        '2026)']},
 'response': {'containment_measures': ['Disable vulnerable component '
                                       '(temporary workaround)',
                                       'Monitor web access logs for suspicious '
                                       'activity'],
              'enhanced_monitoring': 'Monitor web access logs',
              'remediation_measures': ['Immediate patching via vendor '
                                       'updates']},
 'stakeholder_advisories': 'Federal agencies mandated to patch by April 3, '
                           '2026; all organizations advised to prioritize '
                           'remediation.',
 'threat_actor': ['State-sponsored groups', 'Initial access brokers'],
 'title': 'Critical Craft CMS Vulnerability (CVE-2025-32432) Actively '
          'Exploited in the Wild',
 'type': 'Code Injection',
 'vulnerability_exploited': 'CVE-2025-32432 (CWE-94: Improper Control of Code '
                            'Generation)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.