CVE-2025-32432

Name of the Vulnerable Software and Affected Versions Craft versions 3.0.0-RC1 through 3.9.14 Craft versions 4.0.0-RC1 through 4.14.14 Craft versions 5.0.0-RC1 through 5.6.16

Description Craft CMS is vulnerable to remote code execution. This is a high-impact, low-complexity issue. The Mimo intrusion set has been observed exploiting this vulnerability to deploy webshells, loaders, and proxyware, including the XMRig cryptominer and IPRoyal proxy service. Attackers are utilizing techniques to conceal malicious activity, indicating a focus on financial gain and potential expansion into ransomware. Approximately 13,000 instances are vulnerable, with around 300 already compromised. The vulnerability is related to improper handling of code generation. The exploitation involves sending a specially crafted GET request to deploy a webshell, enabling the execution of arbitrary commands on the compromised server. The attackers employ methods to evade detection, such as using the

alamdar.so

library to hide malicious processes.

Recommendations Update Craft CMS to version 3.9.15 or later. Update Craft CMS to version 4.14.15 or later. Update Craft CMS to version 5.6.17 or later.