KEV Alert: Craft CMS and Laravel Livewire Under Active Exploitation

CISA added CVE-2025-32432 (Craft CMS code injection) and CVE-2025-54068 (Laravel Livewire remote code execution) to the Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. For security teams, these entries transform two separate vendor advisories into a single operational directive: identify affected systems, reduce exposure immediately, and execute validated patches within a compressed timeline. KEV status is one of the strongest public signals available that attackers are already leveraging these flaws in real campaigns.

Both vulnerabilities target widely deployed web application components. Craft CMS is a popular content management system used across corporate websites, marketing platforms, and internal portals. Laravel Livewire is a full-stack framework component used in many PHP-based business applications. The overlap in exposure profile means that organizations running either technology on internet-facing infrastructure should treat these advisories as high-priority remediation events, not routine patching tasks.

CVE-2025-32432 affects Craft CMS versions 3.9.x (before 3.9.15), 4.x (before 4.14.15), and 5.x (before 5.6.17). The vulnerability allows code injection through the content management interface, giving attackers a path from web request to server-side code execution. In environments where Craft CMS powers public-facing content, this means an unauthenticated or low-privilege attacker may be able to reach arbitrary execution without needing internal network access first.

CVE-2025-54068 targets Laravel Livewire v3 versions up to 3.6.3 and enables remote code execution through crafted requests to Livewire endpoints. Because Livewire components often handle form submissions, dynamic UI updates, and backend logic, exploitation can occur through normal-looking HTTP traffic. The fix is available in version 3.6.4 and later. Both vulnerabilities share a common operational risk: they sit on components that are typically internet-reachable by design, which compresses the time between initial exposure and potential compromise.

Many mid-market organizations in the DACH region use Craft CMS for corporate websites, campaign landing pages, or customer portals. These deployments are often managed by external agencies or internal marketing teams, which can create ownership gaps that slow down security response. When a KEV-listed vulnerability affects a CMS, the first challenge is frequently not technical but organizational: who owns the deployment, who can authorize downtime for patching, and who validates that the fix was applied correctly?

Laravel Livewire presents a similar challenge in a different context. It is commonly embedded in custom business applications built by development teams that may not have direct security oversight. The framework component can be present in internal tools, partner portals, or customer-facing applications without appearing in a traditional asset inventory. For security teams, this means that standard vulnerability scanning may not flag Livewire exposure unless the scanning tooling is configured to detect framework-level components, not just operating system or server-level vulnerabilities.

Phase one is exposure reduction. Within the first hours, identify all instances of Craft CMS and Laravel Livewire across production, staging, and development environments. For Craft CMS, check version numbers against the affected ranges and prioritize any instance reachable from the internet. For Livewire, audit PHP application dependencies to confirm which projects include vulnerable versions. Where immediate patching is not feasible, implement network-level access restrictions to reduce the attack surface while remediation is prepared.

Phase two is controlled patching and validation. Upgrade Craft CMS to 3.9.15, 4.14.15, or 5.6.17 depending on your branch. Upgrade Laravel Livewire to 3.6.4 or later. After applying fixes, validate that application functionality is intact and confirm that the vulnerable code paths are no longer reachable. Review web server and application logs for indicators of exploitation attempts, including unusual POST requests to CMS admin paths or Livewire endpoints. Document every step for audit purposes: which systems were assessed, what versions were found, when patches were applied, and who approved the changes.

These KEV entries reinforce a pattern that security leadership must internalize: web application components are increasingly part of the active threat landscape, not just a background maintenance concern. Under NIS2-aligned expectations, organizations need to demonstrate that they can identify, prioritize, and remediate actively exploited vulnerabilities in a documented and timely manner. CMS and framework patches that languish in agency backlogs or developer sprint queues become governance liabilities when exploitation is already confirmed.

The practical lesson is to extend asset inventory and vulnerability management to cover web application frameworks and CMS platforms with the same rigor applied to infrastructure components. Teams that maintain a current inventory of framework versions, have pre-approved emergency patch workflows, and can demonstrate remediation timelines in audit scenarios are better positioned to absorb these events without operational disruption. The goal is not to prevent every vulnerability from appearing, but to close the gap between public exploitation evidence and organizational response to a defensible, documented minimum.