来源

关联漏洞

描述

CVE-2025-32432

介绍

# 🧨 CVE-2025-32432 – Craft CMS Pre-auth RCE 🧨

### 🕵️ Overview

* **Severity**: Critical (CVSS Score: 10.0)
* **Type**: Remote Code Execution (RCE) via insecure deserialization
* **Affected Product**: Craft CMS
* **Authentication**: **None required** — attacker only needs a valid asset ID

---

### 📦 Affected Versions

* Craft CMS **3.x**: from 3.0.0-RC1 up to 3.9.14
* Craft CMS **4.x**: from 4.0.0-RC1 up to 4.14.14
* Craft CMS **5.x**: from 5.0.0-RC1 up to 5.6.16

---

### ✅ Fixed Versions

* **3.9.15**
* **4.14.15**
* **5.6.17**

---

### 🔬 Technical Details

* Vulnerability is in the endpoint: `/actions/assets/generate-transform`
* Attackers send a specially crafted **POST** request with a serialized PHP object that contains the `__class` property
* This triggers **unsafe deserialization**, which leads to **arbitrary code execution**
* Exploitable without authentication

---

### 🚨 Exploitation in the Wild

* **Actively exploited** by attackers in real-world attacks
* Threat actors (e.g., "Mimo" group) used it to drop **cryptominers**, **web shells**, and **proxyware**
* Thousands of Craft CMS instances are believed to be vulnerable, with hundreds confirmed compromised

---

### 🛡️ Mitigation Steps

1. **Update immediately** to one of the patched versions
2. If updating is not possible right away:

   * Block POST requests to `/actions/assets/generate-transform` that contain `__class`
   * Use Craft CMS’s security patching tools or plugins
3. If compromised:

   * Take the server offline
   * Remove any web shells or malicious files
   * Rotate all secrets and credentials
   * Force password resets for all users
   * Audit logs for suspicious activity

---

### 🧪 Indicators of Compromise (IoCs)

* Suspicious POST requests to `/actions/assets/generate-transform`
* Payloads containing `__class` in the request body
* Unexpected or recently modified PHP files
* Unusual resource usage (e.g., high CPU from cryptominers)

---

### ⚠️ Summary

| Metric       | Value                               |
| ------------ | ----------------------------------- |
| **Severity** | Critical (10.0)                     |
| **Access**   | Remote, unauthenticated             |
| **Impact**   | Full remote code execution          |
| **Fix**      | Update to 3.9.15 / 4.14.15 / 5.6.17 |

---

### 🧰 Installation

```
# Clone the repository
git clone https://github.com/B1ack4sh/Blackash-CVE-2025-32432.git
cd CVE-2025-32432

# Install required dependencies
pip install -r requirements.txt
```

### 🐧 Requirements

+ Python 3.6+
+ Required Python packages (see requirements.txt):
  * requests
  * beautifulsoup4
  * urllib3

 ### 👨‍💻 Usage

 ### Single Target

 To scan a single target:

 ```
sudo python3 CVE-2025-32432.py -u example.com
 ```

### 💾 Multiple Targets

To scan multiple targets from a file (one URL per line):

```
sudo python3 CVE-2025-32432.py -f urls.txt -t 10
```

Where `-t` specifies the number of threads to use (default is 5).

### 📁 Options

```
-u, --url     Single URL to test
-f, --file    File containing URLs to test (one per line)
-t, --threads Number of threads (default: 5)
-h, --help    Show help message and exit
```

---


### ⚠️ **Disclaimer**

> This information is provided for **educational and research purposes only**.
> Any actions taken to exploit or misuse vulnerabilities **without explicit permission** from the system owner are **illegal** and **unethical**.
> The author does **not endorse or encourage** unauthorized access or activities that violate laws or terms of service.
> Always test responsibly, within controlled environments or with proper authorization.

文件快照

 [4.0K]  /data/pocs/061ae975ecbf595b33c10dd8c08d6e151a56214e
├── [7.4K]  CVE-2025-32432.py
└── [3.6K]  README.md

0 directories, 2 files

备注