Critical Craft CMS Vulnerability (CVE-2025-32432) Actively Exploited in the Wild A severe code injection vulnerability in Craft CMS (CVE-2025-32432) has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after confirmed active exploitation. The flaw, classified under CWE-94 (Improper Control of Code Generation), allows remote, unauthenticated attackers to execute arbitrary code on vulnerable servers. Craft CMS, a widely used enterprise content management system, is at high risk due to this vulnerability. Successful exploitation grants attackers full control over affected systems, enabling data exfiltration, website defacement, or lateral movement into internal networks. While it remains unclear whether the flaw is being used in ransomware campaigns, its potential for initial access makes it a prime target for threat actors, including state-sponsored groups and access brokers. CISA added CVE-2025-32432 to the KEV catalog on March 20, 2026, mandating federal agencies under Binding Operational Directive (BOD) 22-01 to patch by April 3, 2026. Though the directive applies only to government entities, CISA recommends all organizations adopt the same urgency in remediation. Unpatched Craft CMS instances exposed to the internet are highly visible targets, likely already being scanned and exploited by automated attack tools. Mitigation requires immediate patching via vendor updates, with temporary workarounds such as disabling the vulnerable component recommended if patching is delayed. Organizations are also advised to monitor web access logs for suspicious activity.

The Mimo threat group exploited a maximum-severity vulnerability (CVE-2025-32432) in Craft CMS to deploy MimoLoader, a malicious payload distributing cryptocurrency mining malware (XMRig) and residential proxyware (IPRoyal). The attack began with initial access via a Turkish IP address, where threat actors installed a web shell to execute persistence scripts. These scripts terminated existing XMRig processes before deploying the Mimo Loader, which then injected both the cryptocurrency miner and proxyware onto compromised systems.The rapid weaponization of CVE-2025-32432—from disclosure to active exploitation—demonstrates Mimo’s high operational agility. While the primary impact involves unauthorized resource consumption (CPU/memory for mining) and proxy network abuse, the breach also risks further lateral movement if left unchecked. Organizations using Craft CMS face operational disruption, reputational damage, and potential financial losses from cryptojacking. The attack does not explicitly mention data exfiltration or ransomware, but the persistence mechanisms suggest long-term compromise risks.