CISA has added CVE‑2025‑32432 to its Known Exploited Vulnerabilities (KEV) catalogue. The entry affects Craft CMS, the open‑source content‑management system marketed by Craft. The vulnerability, titled “Craft CMS Code Injection Vulnerability”, allows a remote attacker to execute arbitrary code on vulnerable installations.
The flaw is a remote code‑execution (RCE) injection identified in Craft CMS’s template rendering engine. An attacker can supply crafted input that is processed without proper sanitisation, leading to execution of attacker‑controlled commands on the server. The vulnerability scores a perfect 10.0 on the CVSS v3.1 scale, classifying it as Critical. Exploitation requires network access to the vulnerable service, typically via HTTP/HTTPS. The vendor has released a patch, and the fix is available through the official GitHub advisory (commit e1c85441fa47eeb7c688c2053f25419bc0547b47).
CISA’s inclusion of the CVE confirms that active exploitation has been observed in the wild. While no ransomware campaigns have been linked to this flaw, the confirmed exploitation underscores the urgency of remediation. CISA has set a remediation deadline of 3 April 2026 for affected Federal Civilian Executive Branch (FCEB) agencies.
CISA’s required action is to “apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” Agencies should verify that the Craft CMS patch is applied, assess any cloud‑based deployments against BOD 22‑01, and consider decommissioning unpatched instances. All organisations using Craft CMS are advised to review their exposure, test the patch in a staging environment, and deploy it promptly.
For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-32432 and the CISA KEV catalogue entry for CVE‑2025‑32432.