Detect CVE-2025-32432: Craft CMS Remote Code Injection in Microsoft Sentinel
Detects exploitation of CVE-2025-32432, a critical code injection vulnerability (CWE-94) in Craft CMS that allows remote attackers to execute arbitrary code. This vulnerability is actively exploited in the wild (CISA KEV) and targets Craft CMS installations via malicious template or input injection vectors.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
KQL Detection Query
union isfuzzy=true
(
W3CIISLog
| where csUriStem has_any ("/actions/", "/index.php", "/admin/") and csMethod == "POST"
| where csUriQuery has_any ("phpinfo", "base64_decode", "eval(", "system(", "exec(", "passthru(", "shell_exec(", "assert(", "preg_replace")
| project TimeGenerated, Computer, csClientIP = cIP, csUriStem, csUriQuery, csUserAgent = csUserAgent, scStatus
),
(
AzureDiagnostics
| where Category == "AppServiceHTTPLogs"
| where requestUri_s has_any ("/actions/", "/admin/")
| where httpMethod_s == "POST"
| where userAgent_s !has "Googlebot" and userAgent_s !has "Bingbot"
| where originalRequestUriWithArgs_s has_any ("phpinfo", "eval(", "base64_decode", "system(", "exec(", "assert(")
| project TimeGenerated, Resource, clientIP_s, requestUri_s, originalRequestUriWithArgs_s, httpMethod_s, httpStatusCode_d
),
(
CommonSecurityLog
| where DeviceVendor has_any ("F5", "Palo Alto Networks", "Fortinet", "Imperva")
| where RequestURL has_any ("/actions/", "/admin/", "/index.php")
| where Message has_any ("phpinfo", "eval(", "base64_decode", "system(", "exec(", "assert(", "code_injection", "CVE-2025-32432")
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, Message
)
| where TimeGenerated > ago(24h)Detects HTTP POST requests to Craft CMS endpoints containing code injection payloads characteristic of CVE-2025-32432 exploitation, sourced from IIS logs, Azure App Service logs, and WAF/NGFW logs.
Data Sources
Required Tables
False Positives & Tuning
- Security scanners or penetration testing tools probing Craft CMS endpoints
- Developers testing code-related functionality in staging environments behind the same logging pipeline
- Legitimate Craft CMS plugin operations that include template-like syntax in POST bodies
- WAF log noise from automated vulnerability scanning services (e.g., Shodan, Censys)
Other platforms for CVE-2025-32432
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-32432 PHP Info Probe via Craft CMS Action Endpoint
Expected signal: HTTP POST to /actions/test with 'phpinfo()' in request body; web server access log entry; potential 200 response with PHP environment disclosure
- Test 2CVE-2025-32432 Base64-Encoded Command Injection
Expected signal: HTTP POST to /actions/users/login with 'base64_decode' in POST body; web server log capturing encoded payload; potential process spawn of 'id' command from php parent
- Test 3CVE-2025-32432 Webshell Drop via File Write Injection
Expected signal: POST to /actions/ with file_put_contents payload; new file 'shell.php' created in web root with anomalous timestamp; subsequent GET to /shell.php with cmd parameter; process execution of 'id' spawned from PHP
- Test 4CVE-2025-32432 Reverse Shell Payload Simulation
Expected signal: HTTP POST to Craft CMS action endpoint with bash reverse shell command in body; outbound TCP connection from web server to attacker IP on port 4444; process tree showing bash spawned from php parent; network flow anomaly for web server initiating outbound connection
Unlock Pro Content
Get the full detection package for CVE-2025-32432 including response playbook, investigation guide, and atomic red team tests.