CVE-2025-32432 Google Chronicle · YARA-L

Detect CVE-2025-32432: Craft CMS Remote Code Injection in Google Chronicle

Detects exploitation of CVE-2025-32432, a critical code injection vulnerability (CWE-94) in Craft CMS that allows remote attackers to execute arbitrary code. This vulnerability is actively exploited in the wild (CISA KEV) and targets Craft CMS installations via malicious template or input injection vectors.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule craft_cms_cve_2025_32432_code_injection {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2025-32432 Craft CMS code injection exploitation attempts"
    severity = "CRITICAL"
    priority = "HIGH"
    cve = "CVE-2025-32432"
    mitre_attack = "T1190, T1059, T1505.003"

  events:
    $http.metadata.event_type = "NETWORK_HTTP"
    $http.network.http.method = "POST"
    (
      re.regex($http.network.http.request_url, `(?i)/actions/|/admin/|/index\.php`)
    )
    (
      re.regex($http.network.http.request_url, `(?i)phpinfo|base64_decode|eval\(|system\(|exec\(|assert\(|passthru\(|shell_exec\(`)
      or re.regex($http.network.http.request_body, `(?i)phpinfo|base64_decode|eval\(|system\(|exec\(|assert\(`)
    )

  condition:
    $http
}
critical severity high confidence

Chronicle YARA-L rule detecting HTTP POST requests to Craft CMS paths with PHP code injection patterns consistent with CVE-2025-32432 exploitation.

Data Sources

Chronicle HTTP LogsNetwork TelemetryWeb Proxy Logs

Required Tables

network_httpweb_proxy

False Positives & Tuning

  • Security assessment tools probing Craft CMS for CVE-2025-32432 as part of authorized vulnerability management
  • CI/CD pipelines that POST PHP template content to Craft CMS staging environments
  • Threat hunting exercises replaying known exploit payloads from intelligence feeds

Other platforms for CVE-2025-32432

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2025-32432 PHP Info Probe via Craft CMS Action Endpoint

    Expected signal: HTTP POST to /actions/test with 'phpinfo()' in request body; web server access log entry; potential 200 response with PHP environment disclosure

  2. Test 2CVE-2025-32432 Base64-Encoded Command Injection

    Expected signal: HTTP POST to /actions/users/login with 'base64_decode' in POST body; web server log capturing encoded payload; potential process spawn of 'id' command from php parent

  3. Test 3CVE-2025-32432 Webshell Drop via File Write Injection

    Expected signal: POST to /actions/ with file_put_contents payload; new file 'shell.php' created in web root with anomalous timestamp; subsequent GET to /shell.php with cmd parameter; process execution of 'id' spawned from PHP

  4. Test 4CVE-2025-32432 Reverse Shell Payload Simulation

    Expected signal: HTTP POST to Craft CMS action endpoint with bash reverse shell command in body; outbound TCP connection from web server to attacker IP on port 4444; process tree showing bash spawned from php parent; network flow anomaly for web server initiating outbound connection

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-32432 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1505.003Web Shell

Same Tactic: Initial Access

Popular Detections