CVE-2025-32432# 🧨 CVE-2025-32432 – Craft CMS Pre-auth RCE 🧨
### 🕵️ Overview
* **Severity**: Critical (CVSS Score: 10.0)
* **Type**: Remote Code Execution (RCE) via insecure deserialization
* **Affected Product**: Craft CMS
* **Authentication**: **None required** — attacker only needs a valid asset ID
---
### 📦 Affected Versions
* Craft CMS **3.x**: from 3.0.0-RC1 up to 3.9.14
* Craft CMS **4.x**: from 4.0.0-RC1 up to 4.14.14
* Craft CMS **5.x**: from 5.0.0-RC1 up to 5.6.16
---
### ✅ Fixed Versions
* **3.9.15**
* **4.14.15**
* **5.6.17**
---
### 🔬 Technical Details
* Vulnerability is in the endpoint: `/actions/assets/generate-transform`
* Attackers send a specially crafted **POST** request with a serialized PHP object that contains the `__class` property
* This triggers **unsafe deserialization**, which leads to **arbitrary code execution**
* Exploitable without authentication
---
### 🚨 Exploitation in the Wild
* **Actively exploited** by attackers in real-world attacks
* Threat actors (e.g., "Mimo" group) used it to drop **cryptominers**, **web shells**, and **proxyware**
* Thousands of Craft CMS instances are believed to be vulnerable, with hundreds confirmed compromised
---
### 🛡️ Mitigation Steps
1. **Update immediately** to one of the patched versions
2. If updating is not possible right away:
* Block POST requests to `/actions/assets/generate-transform` that contain `__class`
* Use Craft CMS’s security patching tools or plugins
3. If compromised:
* Take the server offline
* Remove any web shells or malicious files
* Rotate all secrets and credentials
* Force password resets for all users
* Audit logs for suspicious activity
---
### 🧪 Indicators of Compromise (IoCs)
* Suspicious POST requests to `/actions/assets/generate-transform`
* Payloads containing `__class` in the request body
* Unexpected or recently modified PHP files
* Unusual resource usage (e.g., high CPU from cryptominers)
---
### ⚠️ Summary
| Metric | Value |
| ------------ | ----------------------------------- |
| **Severity** | Critical (10.0) |
| **Access** | Remote, unauthenticated |
| **Impact** | Full remote code execution |
| **Fix** | Update to 3.9.15 / 4.14.15 / 5.6.17 |
---
### 🧰 Installation
```
# Clone the repository
git clone https://github.com/B1ack4sh/Blackash-CVE-2025-32432.git
cd CVE-2025-32432
# Install required dependencies
pip install -r requirements.txt
```
### 🐧 Requirements
+ Python 3.6+
+ Required Python packages (see requirements.txt):
* requests
* beautifulsoup4
* urllib3
### 👨💻 Usage
### Single Target
To scan a single target:
```
sudo python3 CVE-2025-32432.py -u example.com
```
### 💾 Multiple Targets
To scan multiple targets from a file (one URL per line):
```
sudo python3 CVE-2025-32432.py -f urls.txt -t 10
```
Where `-t` specifies the number of threads to use (default is 5).
### 📁 Options
```
-u, --url Single URL to test
-f, --file File containing URLs to test (one per line)
-t, --threads Number of threads (default: 5)
-h, --help Show help message and exit
```
---
### ⚠️ **Disclaimer**
> This information is provided for **educational and research purposes only**.
> Any actions taken to exploit or misuse vulnerabilities **without explicit permission** from the system owner are **illegal** and **unethical**.
> The author does **not endorse or encourage** unauthorized access or activities that violate laws or terms of service.
> Always test responsibly, within controlled environments or with proper authorization.
[4.0K] /data/pocs/061ae975ecbf595b33c10dd8c08d6e151a56214e
├── [7.4K] CVE-2025-32432.py
└── [3.6K] README.md
0 directories, 2 files