Craft CMS and CVE-2025‑32432

On April 7, 2025, we received a report of a Craft CMS vulnerability that was based on a vulnerability in the Yii framework. Yii fixed that vulnerability in Yii 2.0.52.

We confirmed the vulnerability as valid and released Craft CMS versions 3.9.15, 4.14.15, and 5.6.17 on April 10th with an application-level fix.

We marked those releases as critical so affected sites would display a banner to control panel users, urging them to update.

On April 17, 2025, we discovered evidence to suggest the vulnerability was being exploited in the wild, so we emailed all potentially affected license holders, encouraging them to update or install the Craft CMS Security Patches library as a stop-gap.

Triage #

If you check your firewall logs or web server logs and find suspicious POST requests to the actions/assets/generate-transform Craft controller endpoint, specifically with the string __class in the body, then your site has at least been scanned for this vulnerability.

This is not a confirmation that your site has been compromised; it has only been probed.

Mitigation #

The best way to defend your site against this exploit is to update to one of the patched releases. For instructions, refer to our updating guide.

The next-best way to defend your site is to block suspicious payloads at the firewall level.

As a last resort, you can install the Craft CMS Security Patches library. Note that this is a temporary workaround until you can update your site to a patched version.

This has been fixed in Craft 3.9.15, 4.14.15, and 5.6.17. You should ensure you’re running at least one of these versions.

If you believe your site has been compromised:

• Take your site offline by disabling all web access to it via your web server. This is important because even if you remove all malicious payloads before updating to patched releases, automated scripts can re-infect your site within seconds of being cleaned.

• Remove any payloads or backdoors left on the filesystem. These are most commonly left in asset upload folders on the filesystem and public HTML folders, but can be in other places. If you can deploy the newly provisioned compute (VMs or containers) with code from source control that you know hasn’t been compromised, that will help significantly. Services like https://sucuri.net can also help in situations where you aren’t set up for this.

• Update Craft and all plugins to patched versions.

• Refresh your security key in case it has already been captured. You can run the php craft setup/security-key command and copy the updated CRAFT_SECURITY_KEY environment variable to all production environments.

• If you have any other private keys stored as environment variables (e.g. S3 or Stripe), refresh those as well.

• Rotate your database credentials.

• Out of an abundance of caution, you may want to force all your users to reset their passwords in case your database is compromised. You can do that by running php craft resave/users --set passwordResetRequired --to "fn() => true"

• Once you are sure all payloads have been removed, all secrets have been rotated, and Craft and plugins have been updated, re-enable web access to the site.

Firewall #

You can block potentially malicious requests at your firewall by inspecting incoming POST body requests to the actions/assets/generate-transform endpoint for the string __class.

Craft Cloud #

We have configured Craft Cloud’s global firewall to block malicious requests targeting this exploit. Craft Cloud users are still encouraged to update to patched versions of Craft.

We have no evidence of actual exploits on Craft Cloud.

Regardless of where you are hosted, we always recommend keeping your sites up-to-date so that they include the latest security fixes. Read more about hardening your Craft sites, or learn about the steps we take to keep Craft secure.

Credits #

Credit to Orange Cyberdefense for discovering, reporting, and analyzing this bug.