CISA Adds Craft CMS Code Injection Vulnerability to Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has officially listed a critical flaw in Craft CMS on its Known Exploited Vulnerabilities (KEV) catalog. Identified as CVE-2025-32432, the vulnerability allows attackers to inject arbitrary code into a website’s backend, and it is already being used in active attacks worldwide. If you run a site on Craft CMS, you need to act now to protect your data and your users.

What Is the Craft CMS Vulnerability?

Craft CMS is a popular content‑management system used by thousands of businesses, from small blogs to large e‑commerce platforms. The CVE‑2025‑32432 flaw is a classic code‑injection bug that occurs when the CMS fails to properly sanitize user input in certain administrative forms. Once an attacker can inject malicious code, they can execute commands on the server, read or modify files, and even take full control of the site.

Unlike many other CMS vulnerabilities that require a user to click a link or download a file, this flaw can be triggered remotely by sending a specially crafted HTTP request to a vulnerable Craft instance. Because the attack vector is purely web‑based, it can be launched from anywhere in the world, making it especially dangerous for sites that are publicly accessible.

How Attackers Are Leveraging the Flaw

Recent threat‑intel reports show that cybercriminals are already using CVE‑2025‑32432 to compromise high‑profile websites. Typical attack steps include:

• Scanning the internet for Craft CMS installations that have not applied the latest security patch.
• Sending a crafted request that injects PHP code into the CMS’s backend.
• Executing the injected code to gain a shell or to upload a backdoor.
• Using the compromised site as a foothold for lateral movement or data exfiltration.

In many cases, attackers have used the vulnerability to plant ransomware, steal sensitive customer data, or redirect visitors to phishing pages. The speed and simplicity of the exploit mean that even sites with minimal security awareness can become targets.

Immediate Actions for Website Owners

If you manage a site built on Craft CMS, follow these steps right away:

1. Check Your Version. Log into your Craft control panel and verify the CMS version. The vulnerability affects Craft 3.7.x and earlier. If you’re on an older version, you’re at risk.
2. Apply the Latest Patch. Download and install the official update from the Craft website or use Composer to run composer update craftcms/craft. The patch removes the vulnerable code path and adds stricter input validation.
3. Review Custom Plugins. If you use third‑party plugins, ensure they are updated to the latest releases. Some plugins may contain legacy code that re‑introduces the injection point.
4. Implement Web Application Firewall (WAF) Rules. Add rules to block suspicious POST requests to the /admin endpoint. A WAF can provide a temporary shield while you apply the patch.
5. Audit Access Logs. Look for unusual activity around the admin panel. Check for repeated failed login attempts or unexpected POST requests.
6. Change Passwords. Reset all administrative passwords and enable two‑factor authentication (2FA) for all accounts with CMS access.
7. Backup Your Site. Take a full backup of your files and database before making changes. This ensures you can restore the site if something goes wrong during the update.
8. Test After Patching. Verify that the site functions correctly and that the vulnerability