Critical Remote Code Execution Vulnerability Discovered in Craft CMS 5.6.16 (CVE‑2025‑32432) Affects Multiple Versions
What Happened – A pre‑authentication remote code execution (RCE) flaw was identified in Craft CMS versions ≤ 3.9.14, ≤ 4.14.14, and ≤ 5.6.16. The vulnerability resides in the assets/generate-transform endpoint and leverages a Yii deserialization gadget chain to poison a PHP session file, allowing an unauthenticated attacker to execute arbitrary commands on the host.
Why It Matters for TPRM –
- The flaw can be weaponized without any credentials, exposing any organization that relies on Craft CMS for web content or digital asset management.
- Successful exploitation grants full OS‑level command execution, potentially leading to data theft, ransomware deployment, or lateral movement across the network.
- Many SaaS platforms, marketing sites, and e‑commerce front‑ends embed Craft CMS, expanding the attack surface across multiple industries.
Who Is Affected – Web‑application developers, digital agencies, e‑commerce operators, marketing teams, and any third‑party service that hosts or integrates Craft CMS (TECH_SAAS, MEDIA_ENT, RETAIL_ECOM, etc.).
Recommended Actions –
- Immediately verify the Craft CMS version in use; upgrade to the latest patched release (≥ 5.6.17 or later).
- Apply web‑application firewall (WAF) rules to block unexpected POST requests to
/actions/assets/generate-transform. - Conduct a rapid inventory of all public‑facing Craft CMS instances and perform penetration testing to confirm remediation.
Technical Notes – The exploit abuses a Yii deserialization gadget chain (FieldLayoutBehavior → PhpManager) and PHP session‑file poisoning via a crafted query string. No CVE‑specific patch was available at the time of disclosure; the vendor released patches shortly after. Affected data includes any files the web server can access; the attack surface is the web server itself. Source: Exploit‑DB 52525