Notes

Craft CMS Vulnerability: How Spicy Web Responded to the ACSC Security Alert.

News — The Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) recently issued an alert about a large-scale exploitation campaign targeting content management systems (CMS) worldwide, including in Australia. Here's Spicy Web's response.

Posted by
08.04.2026

Security alerts have a way of landing in the inbox and making the whole day feel a bit heavier. This one is worth a moment of your time, and the good news comes first: if Spicy Web manages your Craft CMS site, you are already covered.

The Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) recently issued an alert about a large-scale exploitation campaign targeting content management systems (CMS) around the world, Australia included. It names several vulnerable platforms and plugins, one of which is a Craft CMS flaw tracked as CVE-2025-32432.

Craft cms ascs security alert

What is CVE-2025-32432?

In plain terms, this is about as serious as web vulnerabilities get. CVE-2025-32432 is a critical, unauthenticated remote code execution flaw in Craft CMS, which means an attacker could run code of their choosing on an affected server without ever needing to log in. The weakness is an insecure deserialisation flaw in Craft's image and asset transform feature, where a specially crafted request could be used to slip malicious code through.

Craft CMS gave it the maximum possible severity score, CVSS 10, and moved quickly, releasing patches on 10 April 2025.

How Spicy Web responded

Every Craft CMS site we manage was patched to a fixed version back in April 2025, when the vulnerability was first disclosed. That is well before this week's ACSC alert landed.

When the advisory came through, we did not just assume everything was fine. The team went back and checked. In direct response to the alert, we:

  • Re-confirmed that every managed Craft CMS installation is running a patched version (3.9.15, 4.14.15, 5.6.17 or later)
  • Reviewed server file systems and web access logs for webshells and the other indicators of compromise described in the ACSC alert
  • Found no evidence of compromise, unauthorised file changes, or malicious activity on any site we look after

What this means for clients

There is nothing you need to do. Your site was not exposed during the wider campaign the ACSC describes, and we found no signs of related compromise.

For us, keeping a platform secure is not a box to tick once and forget about. We keep an eye on vendor security advisories for the platforms we support and roll out critical patches as a matter of course, getting ahead of public disclosure wherever we can. It is quiet, ongoing work, and it is the reason an alert like this one is, for our clients, mostly just interesting reading.

Reference: ASD's ACSC - Large-scale exploitation campaign targeting website content management systems