CISA has added CVE-2025-32432 to the Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed in-the-wild exploitation and setting a remediation deadline for federal agencies CISA KEV. The flaw is a code injection vulnerability in Craft CMS that enables remote code execution (RCE) by an attacker without local access NVD entry. GitHub tracks the same issue under advisory GHSA-f3gw-9ww9-jmc3, reinforcing the severity and developer-facing guidance GitHub advisory.

What happened

• CISA added CVE-2025-32432 to the KEV on 2026-03-20 with a due date of 2026-04-03 for remediation, which reflects active exploitation and mandates action for FCEB agencies CISA KEV.
• The vulnerability is categorized as code injection (CWE-94) in Craft CMS and allows arbitrary code execution by a remote attacker, qualifying it as a high-impact RCE class issue NVD entry.
• The CVE record is published by MITRE and confirms the identifier and vendor/product association for Craft CMS, aligning with the public advisories MITRE CVE record.

Why it matters

• Inclusion in the KEV catalog means exploitation has been observed in the wild, and CISA expects urgent remediation across federal networks under its directive framework CISA KEV.
• Code injection leading to RCE lets an attacker run arbitrary commands in the application context, which can translate into full compromise of the CMS host and lateral movement risks depending on the environment NVD entry.
• Craft CMS powers production-facing content workflows; exploitation on a public web tier can be leveraged for data access, content tampering, and service disruption consistent with RCE impact patterns GitHub advisory.

Technical detail

• CVE-2025-32432 is tracked as a code injection vulnerability mapped to CWE-94, meaning attacker-controlled input is evaluated as code by the target, enabling execution of attacker-supplied instructions NVD entry.
• The attack is remote, so exploitation does not require local system access, which raises exposure for internet-facing Craft CMS deployments where malicious payloads can traverse typical web request paths MITRE CVE record.
• GitHub’s security advisory entry for GHSA-f3gw-9ww9-jmc3 aligns the CVE to the Craft CMS codebase and provides developer-oriented remediation references for maintainers and operators GitHub advisory.

Defense

• Prioritize patching or applying vendor mitigations in line with the KEV directive, which requires agencies to remediate by the listed due date or follow approved mitigations when immediate fixes are not available CISA KEV.
• Use the GitHub advisory to validate affected components and confirm the fixed release or mitigation guidance before rollout in staging and production pipelines GitHub advisory.
• Treat vulnerable Craft CMS instances as high-risk internet-exposed assets given remote exploitability and the RCE outcome, and schedule emergency change windows to minimize exposure time NVD entry.
• Where patching is not immediately possible, implement compensating controls aligned with KEV guidance (e.g., reduce attack surface, limit management interfaces, and enforce strict request filtering) while tracking toward the mandated remediation date CISA KEV.
• After mitigation, review recent access and error logs for indicators consistent with RCE attempts (unexpected 500s, anomalous input patterns, or execution errors), prioritizing windows correlating with known exploitation timelines per KEV listing CISA KEV.

Lyrie Verdict

CVE-2025-32432 is an RCE-class code injection in a public-facing CMS, and KEV inclusion confirms real-world abuse—this is exactly where autonomous, machine-speed control wins CISA KEV. Lyrie’s stance: continuously fingerprint Craft CMS assets, auto-correlate KEV-listed CVEs, and enforce patch SLAs before KEV due dates, while watching for RCE-consistent behaviors flagged by the CVE context NVD entry. For rogue-AI-driven exploitation that iterates payloads rapidly, defense must be just as fast—policy that automatically isolates internet-facing CMS nodes on suspected code execution until patched closes the human-reaction gap GitHub advisory.