CVE-2024-58136

Published Apr 10, 2025

Last updated 6 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-58136 is a vulnerability in Yii 2, a PHP framework, affecting versions prior to 2.0.52. It involves mishandling the attaching of behavior that is defined by an `__class` array key. This vulnerability is a regression of a previously patched issue, CVE-2024-4990. The vulnerability allows attackers to manipulate the behavior of Yii 2 web applications. It stems from improper type and configuration checks in Yii's use of PHP's `__set()` magic method and the `Yii::createObject()` function, potentially leading to the instantiation of arbitrary PHP classes with malicious arguments. This vulnerability was actively exploited between February and April 2025.

Description
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
Source
cve@mitre.org
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Exploit added on
May 2, 2025
Exploit action due
May 23, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

cve@mitre.org
CWE-424
nvd@nist.gov
NVD-CWE-Other

Social media

Hype score
Not currently trending
  1. csirt_it: La Settimana Cibernetica del 4 maggio 2025 🔹 aggiornamenti per molteplici prodotti 🔹 Malvertising: diffusione dei malware NodeStealer e Xworm 🔹 Craft CMS: rilevata catena di sfruttamento attivo delle CVE-2025-32432 e CVE-2024-58136 ⚠️ #EPS… https://t.co

    @Vulcanux_

    5 May 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. La Settimana Cibernetica del 4 maggio 2025 🔹 aggiornamenti per molteplici prodotti 🔹 Malvertising: diffusione dei malware NodeStealer e Xworm 🔹 Craft CMS: rilevata catena di sfruttamento attivo delle CVE-2025-32432 e CVE-2024-58136 ⚠️ #EPSS 🔗 https://t.co/0ICeD

    @csirt_it

    5 May 2025

    126 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CVE Alert: Yiiframework Yii Improper Protection of Alternate Path Vulnerability Exploited In The wild 🚨 Vulnerability Details: CVE-2024-58136 (CVSS v3 9.8/10) Yiiframework Yii Improper Protection of Alternate Path Vulnerability Impact: A Successful exploit may allow a h

    @CyberxtronTech

    5 May 2025

    49 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  4. ⚠️ Critical RCE vuln in Yii Framework (CVE-2024-58136) is now in CISA’s Known Exploited Vulnerabilities. Affects versions < 2.0.52. Immediate patching urged. #CyberSecurity #YiiFramework #CVE202458136 🔗 https://t.co/cbFhQzXTPQ

    @threatsbank

    3 May 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2024-58136 ##Yiiframework Yii Improper Protection of Alternate Path Vulnerability https://t.co/AFCK1KqTh7

    @ScyScan

    2 May 2025

    8 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🛡️ We added Yii framework and Commvault vulnerabilities CVE-2024-58136 & CVE-2025-34028 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. https://t.co/Eil0idoZXD

    @CISACyber

    2 May 2025

    5670 Impressions

    12 Retweets

    22 Likes

    3 Bookmarks

    1 Reply

    3 Quotes

  7. به تازگی برای Craft CMS دو آسیب پذیری با کدهای شناسایی CVE-2025-32432 از نوع RCE و CVE-2024-58136 از نوع input validation منتشر شده است. برای پیشگیری و مقابله به روز رسانی لازم را اعم

    @AmirHossein_sec

    29 Apr 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🗞️ Critical Craft CMS Zero-Days Exploited to Compromise Hundreds of Servers Hackers are actively exploiting two Craft CMS zero-days (CVE-2025-32432, CVE-2024-58136), breaching ~300 of 13,000 vulnerable servers since Feb 2025. Update to patched versions (3.9.15, 4.14.15, 5.6

    @gossy_84

    29 Apr 2025

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. csirt_it: ‼️ #Exploited Rilevata catena di sfruttamento attivo in rete delle CVE-2025-32432 e CVE-2024-58136 relative a #CraftCMS e #Yii framework Rischio: 🟠 Tipologia: 🔸 Remote Code Execution 🔗 https://t.co/haZOIpDqcO ⚠ Importante aggiornare i s… https://t.c

    @Vulcanux_

    29 Apr 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 13,000+ Servers at Risk: Critical Craft CMS Flaws Under Active Attack 🚨 Cybercriminals are exploiting two newly disclosed critical vulnerabilities in Craft CMS, targeting servers in a wave of zero-day attacks. Here’s what’s happening: - CVE-2024-58136 (CVSS 9.0): Ex

    @efani

    28 Apr 2025

    284 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CVE-2025-32432: RCE in CraftCMS, 10.0 rating 🔥🔥🔥 0-day vuln makes some versions of CraftCMS vulnerable to RCE. Used in the wild in combination with CVE-2024-58136. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/EbJurfzSUw #cybersecurity #vulnerability_map

    @Netlas_io

    28 Apr 2025

    715 Impressions

    5 Retweets

    12 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  12. Two zero-day vulnerabilities in Craft CMS, CVE-2025-32432 (RCE) and CVE-2024-58136 (input validation flaw in Yii framework), were exploited in ongoing attacks to breach servers and steal data. https://t.co/SBiO8qxeX7

    @securityRSS

    28 Apr 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 📌 هاكرز يستغلون عيوبًا أمنية حرجة في Craft CMS، مما يعرض مئات الخوادم للاختراق. تم رصد هذه الهجمات من قبل Orange Cyberdefense SensePost منذ 14 فبراير 2025، وتستند إلى ثغرات مر

    @Cybercachear

    28 Apr 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Craft CMSのゼロデイ脆弱性CVE-2025-32432(CVSSスコア10)に対応するMetasploitモジュールが公表された。Yiiフレームワークにおける入力検証不備CVE-2024-58136と組み合わせるもので、実際に悪用されている組み合わせ。Yi

    @__kokumoto

    28 Apr 2025

    66 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 🚨Craft CMS zero-day exploit!🚨 CVE-2025-32432 & CVE-2024-58136 chained in attacks to breach servers & steal data. Update to the latest version ASAP! If you suspect compromise, refresh security keys & rotate DB credentials! #Cybersecurity #CraftCMS https://t.co/0

    @fernandokarl

    27 Apr 2025

    73 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨 Two zero-day vulnerabilities in Craft CMS, CVE-2025-32432 (RCE) & CVE-2024-58136 (input validation), have been exploited in data breaches. Security measures are crucial. #CraftCMS #DataSteal #USA link: https://t.co/IRIOfZ0Qre https://t.co/KWWwThgP0h

    @TweetThreatNews

    25 Apr 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. Urgent: Yii 2 Vulnerability CVE-2024-58136 Under Active Exploit A critical flaw in Yii 2 exposes applications to remote code execution. Attackers are actively exploiting this vulnerability—patch immediately. https://t.co/J8OgL2pADg #Cybersecurity #YiiFramework #RCE

    @adriananglin

    14 Apr 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 CVE-2024-58136 ⚠️🔴 CRITICAL (9) 🏢 yiiframework - Yii 🏗️ 2 🔗 https://t.co/wkGn6xY2xy 🔗 https://t.co/UsRNMGVRsg 🔗 https://t.co/UM29XMCEiy 🔗 https://t.co/w343octaf5 🔗 https://t.co/Kgcm0WrQ5k #CyberCron #VulnAlert #InfoSec https://t.co/oNmfWQDK6b

    @cybercronai

    11 Apr 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. CVE-2024-58136 Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February thr… https://t.co/QHqLpJqSS0

    @CVEnew

    10 Apr 2025

    273 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations