CVE-2025-32432
10.077.56%
Craft CMS RCE: The Art of Property Injection
Alon Barad
Software EngineerJan 7, 2026·6 min read·20 visits
Active Exploitation
Executive Summary (TL;DR)
CVE-2025-32432 is a 10.0 CVSS score nightmare for Craft CMS admins. It allows unauthenticated attackers to turn the `actionGenerateTransform` endpoint into an object instantiation machine. By leveraging Yii's `__class` property precedence and PHP gadget chains (specifically Guzzle and Yii's internal classes), attackers can achieve RCE. It's actively exploited in the wild.
A critical pre-authentication Remote Code Execution (RCE) vulnerability in Craft CMS exploits the underlying Yii framework's configuration mechanism. By passing a malicious array to an endpoint expecting a string, attackers can instantiate arbitrary classes and execute gadget chains leading to full system compromise.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LEPSS Probability
77.56%
Top 1% most exploited
Affected Systems
Craft CMS 3.xCraft CMS 4.xCraft CMS 5.x
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Craft CMS Pixel & Tonic | 3.0.0-RC1 - < 3.9.15 | 3.9.15 |
Craft CMS Pixel & Tonic | 4.0.0-RC1 - < 4.14.15 | 4.14.15 |
Craft CMS Pixel & Tonic | 5.0.0-RC1 - < 5.6.17 | 5.6.17 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-94 (Code Injection) |
| Attack Vector | Network (Pre-Auth) |
| CVSS | 10.0 (Critical) |
| EPSS Score | 0.77564 (High Probability) |
| Exploit Status | Active / Weaponized |
| Platform | PHP / Yii Framework |
MITRE ATT&CK Mapping
CWE-94
Code Injection
Improper Control of Generation of Code ('Code Injection')
Known Exploits & Detection
Vulnerability Timeline
Earliest observed in-the-wild exploitation
2025-02-15
Craft CMS releases patch (3.9.15, 4.14.15, 5.6.17)
2025-04-10
CVE and GHSA publicly disclosed
2025-04-25