A critical vulnerability in Craft CMS, tracked as CVE-2025-32432, is being actively exploited in the wild, allowing attackers to execute remote code. This flaw, which has a CVSS score of 10, affects Craft CMS versions from 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17. The vulnerability, categorized under CWE-94, enables remote code execution due to improper handling of user input, making it a high-impact, low-complexity attack vector.
The exploitation of this vulnerability has been swift, with attackers leveraging it within 328 days of its disclosure. The vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on March 20, 2026, underscoring its critical nature and the urgency for organizations to patch affected systems.
In recent attacks, a group identified as the Mimo hackers has been exploiting CVE-2025-32432 to deploy cryptomining software and proxyware on compromised systems. This activity not only consumes significant system resources but also poses a risk of further exploitation and data exfiltration. The availability of both a working exploit and multiple proof-of-concept (PoC) scripts has facilitated these attacks, making it imperative for organizations using Craft CMS to act swiftly.
Craft CMS is widely used for creating custom digital experiences, and the breadth of its deployment means that the impact of this vulnerability could be extensive. Organizations using affected versions should prioritize applying the latest patches to mitigate the risk of exploitation. The vendor has released updates to address the flaw, and administrators are urged to upgrade to the latest secure versions immediately.
Given the critical nature of this vulnerability and its active exploitation, security teams should also monitor their systems for signs of compromise, such as unusual network traffic or unexpected system resource usage, which could indicate the presence of cryptomining or proxyware. Implementing robust intrusion detection systems and maintaining up-to-date threat intelligence feeds can help in early detection and response to such threats.
CSURFACE