CISA Warns of Craft CMS Code Injection Vulnerability Exploited in Attacks

What happened

A Craft CMS code injection vulnerability exploited in attacks has been added to the Known Exploited Vulnerabilities catalog after confirmed active exploitation in the wild. The flaw, tracked as CVE-2025-32432, is described as a code injection issue categorized under CWE-94 and affects Craft CMS. The vulnerability allows a remote, unauthenticated attacker to execute arbitrary code directly on the underlying server. CISA added the issue to the catalog on March 20, 2026, confirming that threat actors are actively leveraging it in real-world attacks. The agency said it is unknown whether the vulnerability is being used in ongoing ransomware campaigns. It also set an April 3, 2026 remediation deadline for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01 and urged private-sector organizations and global enterprises to move with the same aggressive patching timeline. 

Who is affected

The direct exposure affects organizations using Craft CMS, particularly internet-exposed deployments. Federal Civilian Executive Branch agencies are directly required to remediate the flaw under Binding Operational Directive 22-01, while private-sector organizations and global enterprises using Craft CMS face potential exposure if vulnerable systems remain unpatched. 

Why CISOs should care

This issue matters because it involves a remote, unauthenticated code execution path in a content management system that CISA has already confirmed is being exploited in the wild. For CISOs, the relevance is immediate: the flaw creates direct server-level compromise risk and now carries a formal federal remediation deadline. 

3 practical actions:

1. Apply the latest security updates: Immediately deploy the latest security updates provided for Craft CMS in line with the remediation urgency described for this actively exploited vulnerability. 
2. Review web access logs: Actively monitor web access logs for anomalous behavior or unauthorized administrative access attempts associated with exploitation activity. 
3. Discontinue vulnerable use if needed: If the official patch cannot be applied immediately, follow applicable cloud service security guidance or temporarily discontinue use of the vulnerable product until secure mitigations are in place. 

For more coverage of newly disclosed security flaws and systemic exposure risks, explore our reporting under the Vulnerabilities tag.