CVE-2024-58136

critical

Description

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

References

Exploits
More

https://www.securityweek.com/critical-commvault-vulnerability-in-attacker-crosshairs/

https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-exploited-vulnerabilities-catalog

https://www.securityweek.com/craft-cms-zero-day-exploited-to-compromise-hundreds-of-websites/

https://thehackernews.com/2025/04/hackers-exploit-critical-craft-cms.html

https://securityaffairs.com/177085/hacking/attackers-chained-craft-cms-zero-days-attacks-in-the-wild.html

https://www.bleepingcomputer.com/news/security/craft-cms-rce-exploit-chain-used-in-zero-day-attacks-to-steal-data/

https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/

https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52

https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709

https://github.com/yiisoft/yii2/pull/20232

https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52

https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12

Details

Source: Mitre, NVD

Published: 2025-04-10

Updated: 2025-05-03

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H