Cyber Resilience

CVE-2024-58136

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 April 2025

Published
10 April 2025
Modified
05 November 2025
KEV Added
02 May 2025
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.7726 99.0th percentile
Risk Priority 84 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-58136 is a critical-severity Improper Protection of Alternate Path (CWE-424) vulnerability in Yiiframework Yii. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Yii 2 before version 2.0.52 contains a vulnerability that mishandles attachment of behaviors specified via an __class array key. The flaw is a regression of CVE-2024-4990 and affects the Yii framework's behavior attachment logic, allowing improper class resolution during object configuration.

An unauthenticated remote attacker can supply a crafted configuration array over the network to trigger the issue. Successful exploitation yields full control over the affected application, including arbitrary code execution and impacts to confidentiality, integrity, and availability, as reflected in the CVSS 9.0 score with changed scope.

Official references direct users to upgrade to Yii 2.0.52. The fix is documented in the project's GitHub commit 40fe496eda529fd1d933b56a1022ec32d3cd0b12, the 2.0.51-to-2.0.52 diff, pull request 20232, and the Yii Framework security advisory that explicitly recommends immediate patching.

The CVE was exploited in the wild between February and April 2025, coinciding with EPSS values that reached a peak of 0.7895 and remain at 0.7726.

EU & UK References

Vulnerability details

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

CWE(s)
KEV Date Added
02 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

yiiframework
yii
≤ 2.0.52

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (upgrade to Yii 2.0.52) that restores validation of the __class key and eliminates the unsafe instantiation path.

prevent

Enforces validation of all supplied configuration arrays (including behavior definitions containing __class) before any class loading or instantiation occurs.

preventdetect

Requires integrity verification of application code and configuration data to detect or block unauthorized class-loading behavior introduced via the vulnerable attachment logic.

References