CraftCMS Yii Class Injection RCE – CVE-2025-32432

Vendor Discription:-

Craft CMS is a flexible, developer-friendly content management system built for creating custom websites and digital experiences. It gives complete control over content structure, making it ideal for complex and content-heavy projects. Craft uses a clean, intuitive control panel that’s easy for editors while remaining powerful for developers. With strong performance, security, and plugin support, it’s a great choice for modern, scalable websites.

CVE-2025-32432 Description:-

Craft CMS includes an asset transformation feature that automatically resizes and modifies images after upload, removing the need for editors to prepare images in specific dimensions. This improves workflow efficiency and helps maintain consistent visuals across a website. To function correctly, Craft CMS requires a valid asset ID to create transformation objects and manage media files. In Craft 3.x, this asset ID is validated before object creation, while in Craft 4.x and 5.x, validation occurs afterward. The reliance on this asset ID plays a key role in the exploitation of CVE-2025-32432.

The vulnerability arises from insufficient authorization controls combined with unsafe deserialization within the image transformation functionality. This feature allows administrators to define image transformation templates for selected assets. However, in affected versions, an unauthenticated attacker can send a POST request to the image processing endpoint, causing the server to process attacker-supplied data. By targeting the /index.php?p=admin/actions/assets/generate-transform endpoint with a specially crafted JSON payload, an attacker can abuse the deserialization process. The payload embeds a malicious PHP object that is deserialized by the application, ultimately enabling remote code execution through the GuzzleHttp\Psr7\FnStream class.

Impacts of CVE-2025-32432

1. Unauthenticated Remote Code Execution (RCE)
   Attackers can execute arbitrary code on affected CMS servers without valid credentials.
2. Full System Compromise Potential
   Successful exploitation may allow installation of malicious PHP files, persistence, and full control of the underlying host.
3. High Severity (CVSS 10 / Critical)
   The vulnerability has a maximum critical CVSS score, with low attack complexity and no user interaction required.
4. Active Exploitation in the Wild
   Multiple reports confirm the flaw is being actively probed and weaponized against public Craft CMS installations.
5. Widespread Exposure
   Thousands of Craft CMS instances are vulnerable — making this a broad-risk internet-facing vulnerability for many websites

Mitigations for CVE-2025-32432

1. Apply Official Patches Immediately
   Upgrade to patched versions:
   • Craft CMS 3.9.15 or later
   • Craft CMS 4.14.15 or later
   • Craft CMS 5.6.17 or later
2. Block Exploit Traffic at the Firewall
   Deploy firewall rules or WAF signatures to block suspicious POSTs to actions/assets/generate-transform with __class in the body.
3. Inspect Logs for Probing Attempts
   Check web server and application logs for unusual POSTs to the vulnerable endpoint — especially with object payloads.
4. Harden Input Handling & Deserialization Policies
   Where possible, ensure PHP deserialization of untrusted input is disabled or validated thoroughly. (General secure development best practice aiding mitigation.)
5. Security Monitoring & IPS/IDS Protections
   Enable IPS signatures (e.g., Craft CMS RCE signatures) on network defenses to automatically detect and block exploit attempts