Full Report
Introduction
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in Craft CMS via Image Transformation (CVE-2025-32432)
## CVE Details
- CVE ID: CVE-2025-32432
- CVSS Score: Not explicitly provided, but implied High due to RCE in-the-wild. **Note:** The summary also mentions CVE-2024-58136 related to Yii framework, which is the underlying cause/related issue.
- CWE: Likely related to Improper Input Validation or Code Injection.
## Affected Systems
- Products: Craft CMS
- Versions: Versions prior to the patched releases listed below (Explicitly mentions an instance running **Craft CMS 4.12.8** being compromised).
- Configurations: Installation using Craft CMS versions 3, 4, or 5 where the image transformation feature is accessible. Exploitation requires finding a valid Asset ID.
## Vulnerability Description
CVE-2025-32432 is an unauthenticated Remote Code Execution (RCE) vulnerability in Craft CMS, stemming from an incomplete fix or related issue within the underlying Yii Framework components. The flaw resides in the endpoint responsible for on-the-fly image transformation (`/index.php?p=admin/actions/assets/generate-transform`). An attacker can send a crafted POST request containing data that is interpreted during the creation of the transformation object. By iterating and guessing a valid Asset ID, the attacker can trigger the vulnerability, leading to code execution on the server.
This vulnerability was actively exploited in the wild, used primarily to upload a PHP file manager (sourced from `github.com/alexantr/filemanager`) which was then used to deploy additional PHP files like `wp-22.php` and `style.php` to the web root.
## Exploitation
- Status: **Exploited in the wild** (Confirmed by forensic investigation of an incident on February 14th).
- Complexity: **Medium** (Requires successful exploitation of the image transformation endpoint and finding a valid Asset ID).
- Attack Vector: **Network** (Remote via HTTP POST request).
## Impact
- Confidentiality: High (Remote code execution allows access to server contents).
- Integrity: High (Code execution allows modification or creation of files).
- Availability: High (System compromise can lead to service disruption).
## Remediation
### Patches
Craft CMS released fixes concurrently with the discovery:
- Craft CMS **3.9.15**
- Craft CMS **4.14.15**
- Craft CMS **5.6.17**
### Workarounds
No specific vendor workarounds were detailed, but mitigation actions derived from the vulnerability mechanism include:
1. Restricting access to the image transformation endpoint if possible.
2. Disabling or restricting the asset transformation feature temporarily if patching is not immediately possible.
## Detection
- **Indicators of Compromise (IOCs):**
* Look for abnormal POST requests to the URI `/index.php?p=admin/actions/assets/generate-transform`.
* User-Agent strings suggesting automated scripts (e.g., `python-requests/2.27.1`).
* Presence of uploaded files such as `filemanager.php` or other suspicious PHP scripts (`wp-22.php`, `style.php`) in the web root directory.
* Hash matches for the uploaded files (e.g., `filemanager.php` MD5: `d8fddbd85e6af76c91bfa17118dbecc6`).
- **Detection Methods and Tools:**
* Monitoring web server access logs for high volumes of requests to the transformation endpoint.
* File integrity monitoring (FIM) on the web application directory structure.
* Reviewing Craft CMS system logs (`CRAFT_INSTALL_PATH/storage/logs/`) and `phperrors.log` for related activity.
## References
- Vendor Advisory: Craft CMS Advisory Published 2025-04-24.
- Related Yii Notice: Mention of required upgrade to Yii 2.0.52 regarding CVE-2024-58136 (Incomplete fix issue).
- Orange Cyberdefense Blog Post: URL is defanged: `https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/`