Code Injection Vulnerability in Yii Framework by Yii Software
CVE-2024-58136

9.8CRITICAL

Key Information:

Status
Vendor
CVE Published:
10 April 2025

Badges

📈 Score: 1,210👾 Exploit Exists🟣 EPSS 36%🦅 CISA Reported📰 News Worthy

What is CVE-2024-58136?

CVE-2024-58136 is a vulnerability found in the Yii Framework, a popular PHP framework widely used for developing web applications. Specifically, this flaw affects versions of Yii 2 prior to 2.0.52, whereby the framework mishandles the attachment of behaviors based on an improperly managed __class array key. Such a vulnerability can expose organizations to various security risks, potentially leading to malicious code execution and further exploitation by threat actors. Given that Yii Framework is utilized in numerous applications, the implications of this vulnerability are considerable, as it could compromise the integrity and confidentiality of sensitive data managed by these applications.

Technical Details

CVE-2024-58136 identifies a code injection vulnerability arising from a regression issue linked to CVE-2024-4990. This vulnerability is rooted in improper handling of the __class array key, which can lead to unexpected behavior during the attachment of application behaviors. Yii’s broader ecosystem relies heavily on the correct functionality of these components for maintaining the security and stability of applications built on it. Although there are no known exploitations of this vulnerability at present, the nature of code injection vulnerabilities makes them particularly dangerous, as they can be leveraged to gain unauthorized control over affected systems.

Potential impact of CVE-2024-58136

  1. Remote Code Execution: The most significant risk presented by this vulnerability is the potential for remote code execution. Attackers may exploit this flaw to inject malicious code into web applications, executing arbitrary commands on the server, which can lead to full system compromise.

  2. Data Breach: Exploiting this vulnerability could allow attackers to access sensitive data stored within applications leeching from the Yii Framework. This could result in unauthorized retrieval of personal, financial, or proprietary information, leading to severe data breaches.

  3. Service Disruption: The misuse of this vulnerability might not only let attackers hijack control over systems but could also enable them to disrupt normal service operations. By executing harmful commands, attackers could introduce instability, leading to application outages and degraded service performance for users.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Yii 2 < 2.0.52

News Articles

CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation

2 days ago

Craft CMS RCE exploit chain used in zero-day attacks to steal data

Two vulnerabilities impacting Craft CMS were chained together in zero-day attacks to breach servers and steal data, with exploitation ongoing, according to CERT Orange Cyberdefense.

2 weeks ago

References

EPSS Score

36% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-58136 : Code Injection Vulnerability in Yii Framework by Yii Software | SecurityVulnerability.io