CVE-2025-32432

Name of the Vulnerable Software and Affected Versions Craft CMS versions prior to 3.9.15 Craft CMS versions prior to 4.14.15 Craft CMS versions prior to 5.6.17

Description Craft CMS is vulnerable to remote code execution. This is a high-impact, low-complexity issue actively exploited by the Mimo threat actor. The Mimo group has been observed deploying webshells, cryptominers (XMRig), and proxyware (IPRoyal) by exploiting this vulnerability. The exploitation involves deploying a webshell via a specially crafted GET request, allowing for arbitrary command execution on the compromised server. The attackers employ techniques to hide their malicious activity, including the use of the alamdar.so library. Approximately 13,000 vulnerable instances have been identified, with around 300 already compromised. The attackers are financially motivated and have demonstrated a diversification of tactics, including the potential for ransomware deployment.

Recommendations Craft CMS versions prior to 3.9.15: Update to version 3.9.15 or later. Craft CMS versions prior to 4.14.15: Update to version 4.14.15 or later. Craft CMS versions prior to 5.6.17: Update to version 5.6.17 or later.