⚠️ CISA Known Exploited Vulnerability
Active ThreatThis vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Active exploitation has been observed in the wild. This poses significant risk to federal enterprises and should be prioritized for immediate patching.
CVE-2024-58136
Critical CISA KEV
Low
Medium
High
Critical
9.0
CVSS Score
Published: Apr 10, 2025
Last Modified: Nov 05, 2025
Vulnerability Description
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
H
Privileges Required
N
User Interaction
N
Scope
C
Confidentiality
H
Integrity
H
Availability
H
Known Affected Software
66 configuration(s) from 1 vendor(s)
yii
Version:
2.0.0
CPE:
cpe:2.3:a:yiiframework:yii:2.0.0:-:*:*:*:*:*:*
yii
Version:
2.0.13.3
CPE:
cpe:2.3:a:yiiframework:yii:2.0.13.3:*:*:*:*:*:*:*
yii
Version:
2.0.39
CPE:
cpe:2.3:a:yiiframework:yii:2.0.39:*:*:*:*:*:*:*
yii
Version:
2.0.13.2
CPE:
cpe:2.3:a:yiiframework:yii:2.0.13.2:*:*:*:*:*:*:*
yii
Version:
2.0.21
CPE:
cpe:2.3:a:yiiframework:yii:2.0.21:*:*:*:*:*:*:*
yii
Version:
2.0.5
CPE:
cpe:2.3:a:yiiframework:yii:2.0.5:*:*:*:*:*:*:*
yii
Version:
2.0.4
CPE:
cpe:2.3:a:yiiframework:yii:2.0.4:*:*:*:*:*:*:*
yii
Version:
2.0.48
CPE:
cpe:2.3:a:yiiframework:yii:2.0.48:*:*:*:*:*:*:*
yii
Version:
2.0.24
CPE:
cpe:2.3:a:yiiframework:yii:2.0.24:*:*:*:*:*:*:*
yii
Version:
2.0.27
CPE:
cpe:2.3:a:yiiframework:yii:2.0.27:*:*:*:*:*:*:*
yii
Version:
2.0.42.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.42.1:*:*:*:*:*:*:*
yii
Version:
2.0.29
CPE:
cpe:2.3:a:yiiframework:yii:2.0.29:*:*:*:*:*:*:*
yii
Version:
2.0.46
CPE:
cpe:2.3:a:yiiframework:yii:2.0.46:*:*:*:*:*:*:*
yii
Version:
2.0.16
CPE:
cpe:2.3:a:yiiframework:yii:2.0.16:*:*:*:*:*:*:*
yii
Version:
2.0.28
CPE:
cpe:2.3:a:yiiframework:yii:2.0.28:*:*:*:*:*:*:*
yii
Version:
2.0.2
CPE:
cpe:2.3:a:yiiframework:yii:2.0.2:*:*:*:*:*:*:*
yii
Version:
2.0.13
CPE:
cpe:2.3:a:yiiframework:yii:2.0.13:*:*:*:*:*:*:*
yii
Version:
2.0.16.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.16.1:*:*:*:*:*:*:*
yii
Version:
2.0.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.1:*:*:*:*:*:*:*
yii
Version:
2.0.23
CPE:
cpe:2.3:a:yiiframework:yii:2.0.23:*:*:*:*:*:*:*
yii
Version:
2.0.12.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.12.1:*:*:*:*:*:*:*
yii
Version:
2.0.31
CPE:
cpe:2.3:a:yiiframework:yii:2.0.31:*:*:*:*:*:*:*
yii
Version:
2.0.11.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.11.1:*:*:*:*:*:*:*
yii
Version:
2.0.41.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.41.1:*:*:*:*:*:*:*
yii
Version:
2.0.9
CPE:
cpe:2.3:a:yiiframework:yii:2.0.9:*:*:*:*:*:*:*
yii
Version:
2.0.13.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.13.1:*:*:*:*:*:*:*
yii
Version:
2.0.18
CPE:
cpe:2.3:a:yiiframework:yii:2.0.18:*:*:*:*:*:*:*
yii
Version:
2.0.42
CPE:
cpe:2.3:a:yiiframework:yii:2.0.42:*:*:*:*:*:*:*
yii
Version:
2.0.15
CPE:
cpe:2.3:a:yiiframework:yii:2.0.15:*:*:*:*:*:*:*
yii
Version:
2.0.40
CPE:
cpe:2.3:a:yiiframework:yii:2.0.40:*:*:*:*:*:*:*
yii
Version:
2.0.22
CPE:
cpe:2.3:a:yiiframework:yii:2.0.22:*:*:*:*:*:*:*
yii
Version:
2.0.39.2
CPE:
cpe:2.3:a:yiiframework:yii:2.0.39.2:*:*:*:*:*:*:*
yii
Version:
2.0.49.3
CPE:
cpe:2.3:a:yiiframework:yii:2.0.49.3:*:*:*:*:*:*:*
yii
Version:
2.0.12.2
CPE:
cpe:2.3:a:yiiframework:yii:2.0.12.2:*:*:*:*:*:*:*
yii
Version:
2.0.7
CPE:
cpe:2.3:a:yiiframework:yii:2.0.7:*:*:*:*:*:*:*
yii
Version:
2.0.17
CPE:
cpe:2.3:a:yiiframework:yii:2.0.17:*:*:*:*:*:*:*
yii
Version:
2.0.39.3
CPE:
cpe:2.3:a:yiiframework:yii:2.0.39.3:*:*:*:*:*:*:*
yii
Version:
2.0.8
CPE:
cpe:2.3:a:yiiframework:yii:2.0.8:*:*:*:*:*:*:*
yii
Version:
2.0.10
CPE:
cpe:2.3:a:yiiframework:yii:2.0.10:*:*:*:*:*:*:*
yii
Version:
2.0.25
CPE:
cpe:2.3:a:yiiframework:yii:2.0.25:*:*:*:*:*:*:*
yii
Version:
2.0.47
CPE:
cpe:2.3:a:yiiframework:yii:2.0.47:*:*:*:*:*:*:*
yii
Version:
2.0.39.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.39.1:*:*:*:*:*:*:*
yii
Version:
2.0.12
CPE:
cpe:2.3:a:yiiframework:yii:2.0.12:*:*:*:*:*:*:*
yii
Version:
2.0.14.2
CPE:
cpe:2.3:a:yiiframework:yii:2.0.14.2:*:*:*:*:*:*:*
yii
Version:
2.0.37
CPE:
cpe:2.3:a:yiiframework:yii:2.0.37:*:*:*:*:*:*:*
yii
Version:
2.0.43
CPE:
cpe:2.3:a:yiiframework:yii:2.0.43:*:*:*:*:*:*:*
yii
Version:
2.0.19
CPE:
cpe:2.3:a:yiiframework:yii:2.0.19:*:*:*:*:*:*:*
yii
Version:
2.0.32
CPE:
cpe:2.3:a:yiiframework:yii:2.0.32:*:*:*:*:*:*:*
yii
Version:
2.0.3
CPE:
cpe:2.3:a:yiiframework:yii:2.0.3:*:*:*:*:*:*:*
yii
Version:
2.0.6
CPE:
cpe:2.3:a:yiiframework:yii:2.0.6:*:*:*:*:*:*:*
yii
Version:
2.0.34
CPE:
cpe:2.3:a:yiiframework:yii:2.0.34:*:*:*:*:*:*:*
yii
Version:
2.0.30
CPE:
cpe:2.3:a:yiiframework:yii:2.0.30:*:*:*:*:*:*:*
yii
Version:
2.0.15.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.15.1:*:*:*:*:*:*:*
yii
Version:
2.0.20
CPE:
cpe:2.3:a:yiiframework:yii:2.0.20:*:*:*:*:*:*:*
yii
Version:
2.0.45
CPE:
cpe:2.3:a:yiiframework:yii:2.0.45:*:*:*:*:*:*:*
yii
Version:
2.0.41
CPE:
cpe:2.3:a:yiiframework:yii:2.0.41:*:*:*:*:*:*:*
yii
Version:
2.0.11
CPE:
cpe:2.3:a:yiiframework:yii:2.0.11:*:*:*:*:*:*:*
yii
Version:
2.0.14
CPE:
cpe:2.3:a:yiiframework:yii:2.0.14:*:*:*:*:*:*:*
yii
Version:
2.0.35
CPE:
cpe:2.3:a:yiiframework:yii:2.0.35:*:*:*:*:*:*:*
yii
Version:
2.0.38
CPE:
cpe:2.3:a:yiiframework:yii:2.0.38:*:*:*:*:*:*:*
yii
Version:
2.0.14.1
CPE:
cpe:2.3:a:yiiframework:yii:2.0.14.1:*:*:*:*:*:*:*
yii
Version:
2.0.11.2
CPE:
cpe:2.3:a:yiiframework:yii:2.0.11.2:*:*:*:*:*:*:*
yii
Version:
2.0.36
CPE:
cpe:2.3:a:yiiframework:yii:2.0.36:*:*:*:*:*:*:*
yii
Version:
2.0.44
CPE:
cpe:2.3:a:yiiframework:yii:2.0.44:*:*:*:*:*:*:*
yii
Version:
2.0.33
CPE:
cpe:2.3:a:yiiframework:yii:2.0.33:*:*:*:*:*:*:*
yii
Version:
2.0.26
CPE:
cpe:2.3:a:yiiframework:yii:2.0.26:*:*:*:*:*:*:*
This vulnerability affects 66 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12cve@mitre.org Patch
-
https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52cve@mitre.org Issue Tracking
-
https://github.com/yiisoft/yii2/pull/20232cve@mitre.org Patch
-
https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709cve@mitre.org Issue Tracking
-
https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52cve@mitre.org Vendor Advisory
-
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit Third Party Advisory
-
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136134c704f-9b21-4f2e-91b3-4a467353bcc0 US Government Resource
Severity Details
9.0
out of 10.0
Critical
CISA KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalog
Key Information
- Published Date
- April 10, 2025
