Critical Craft CMS Zero-Day Exploit Chain (CVE-2025-32432) Leveraged in Active Data Exfiltration Attacks

Key Takeaways

Attackers are actively exploiting a zero-day exploit chain (CVE-2025-32432) in Craft CMS to achieve unauthenticated remote code execution (RCE) and exfiltrate data from compromised servers.¹
The exploit targets the image transformation endpoint, abusing asset ID logic to inject and execute malicious code.
The campaign was first observed in February 2025 and continues to impact unpatched Craft CMS installations as of late April 2025.¹
Official patches have been released for Craft CMS versions 3.9.15, 4.14.15, and 5.6.17. Immediate upgrade is strongly recommended.¹
The attack chain demonstrates the ongoing risk of chained vulnerabilities and the importance of timely patching and monitoring.

What Happened?

In early 2025, security researchers and incident responders observed a coordinated campaign exploiting a newly discovered zero-day vulnerability chain in Craft CMS. The attackers leveraged CVE-2025-32432 to achieve unauthenticated remote code execution (RCE) and exfiltrate sensitive data from targeted servers.¹

The exploit chain abuses the image transformation feature of Craft CMS. By sending crafted POST requests to the /index.php?p=admin/actions/assets/generate-transform endpoint and enumerating valid asset IDs, attackers could manipulate the server into interpreting malicious payloads. This allowed arbitrary PHP code execution, leading to full server compromise and data theft.¹

Technical Details

Vulnerability: CVE-2025-32432 (Craft CMS Asset Image Transformation RCE)
Attack Vector: Unauthenticated POST requests to the image transformation endpoint, incrementing asset IDs to find valid targets
Impact: Remote code execution, file upload, data exfiltration, persistent access
Affected Versions: Craft CMS 4.x and 5.x (prior to 4.14.15 and 5.6.17)
Patch Released: April 2025

Exploit Chain Steps

Asset ID Enumeration: Attackers use automated scripts to enumerate asset IDs by sending repeated POST requests with incremented IDs.
Payload Injection: Upon finding a valid asset, a malicious payload is sent to the transformation endpoint, which is interpreted by the server.
Code Execution: The server executes the injected PHP code, granting attackers full control.
Data Exfiltration: Attackers attempt to download and execute tools (e.g., filemanager.php) for persistent access and data theft.

Timeline

Feb 2025: In-the-wild exploitation observed during forensic investigations.¹
Mar–Apr 2025: Vulnerability analysis, vendor notification, CVE assignment, and patch development.¹
Apr 2025: Official patches released; public advisories and technical blogs published.¹

Detection & Mitigation

Upgrade Immediately: Patch to Craft CMS 3.9.15, 4.14.15, 5.6.17 or later.
Audit Logs: Review server and application logs for suspicious POST requests to the image transformation endpoint.
Monitor Assets: Check for unauthorized file uploads or modifications, especially in asset directories.
Network Controls: Restrict access to admin endpoints and monitor for unusual outbound connections.

Final Thoughts

This incident highlights the critical importance of rapid patching and continuous monitoring for organizations using popular CMS platforms. Chained vulnerabilities remain a favored technique for attackers, and timely response is essential to prevent compromise and data loss. Organizations should review their asset management and endpoint security controls to mitigate future risks.

Footnotes

SensePost | Investigating an in-the-wild campaign using RCE in CraftCMS ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷ ↩⁸