1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Yiiframework Yii Improper Protection of Alternate Path Vulnerability

Known Exploited Vulnerabilities CVE-2024-58136

Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability exploitation_technique T1055 Process Injection
Comments
The Yii2 PHP framework, prior to version 2.0.52, contains an improper validation flaw that allows an attacker to input arbitrary PHP classes to a JSON file, which will then be instantiated and executed. This can lead to remote code execution and server-side request forgery, among other potential impacts.
References
  1. https://infosecwriteups.com/from-behaviors-to-shells-yii2-php-framework-rce-cve-2024-58136-exploit-and-mitigation-e47a60a3cecb
CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
The Yii2 PHP framework, prior to version 2.0.52, contains an improper validation flaw that allows an attacker to input arbitrary PHP classes to a JSON file, which will then be instantiated and executed. This can lead to remote code execution and server-side request forgery, among other potential impacts.
References
  1. https://infosecwriteups.com/from-behaviors-to-shells-yii2-php-framework-rce-cve-2024-58136-exploit-and-mitigation-e47a60a3cecb