Hackers Exploit Craft CMS Flaws: A Deep Dive into CVE-2025

Content management system (CMS) Craft has reportedly been targeted by a zero-day remote code execution (RCE) vulnerability, identified as CVE-2025-32432, with posts on Reddit revealing it is being exploited by hackers.
The vulnerability allows unauthorised access and code execution without the need for authentication, posing a serious threat to Craft users.
Craft CMS confirmed the bug present in its leaderboard plugin, with version 1.1.1 addressing the issue for users who have updated.
Those who haven’t yet updated are advised to perform a full security audit and consider reinstalling the entire system from scratch.
The issue has highlighted concerns over the speed of disclosure and the time developers have to address vulnerabilities before they are exploited.
With open-source CMS engines, like Craft, vulnerability disclosure policies are a challenge, as many contributors have different viewpoints on when and how to disclose vulnerabilities.

Fast Feed