CISA adds Yii Framework and Commvault bugs to KEV Catalog

---

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, identifying two high-risk security flaws actively exploited in the wild. These vulnerabilities affect Yii Framework and Commvault Command Center, highlighting the need for urgent remediation.

1. Yii Framework Vulnerability (CVE-2024-58136)

Overview

• Description:
• This vulnerability impacts the Yii Framework, specifically its alternate path protection mechanism.
• Due to improper input validation, attackers can bypass security controls and gain remote code execution (RCE) capabilities.
• Categorized under CWE-22 (Improper Protection of Alternate Path).
• Severity:
• CVSS Score: 9.0 (High).
• Impact: Enables unauthorized execution of malicious code, compromising web applications built on Yii.
• Affected Versions:
• Yii Framework 2.0.51 and earlier.

2. Commvault Command Center Vulnerability (CVE-2025-34028)

Overview

• Description:
• A path traversal vulnerability in the Commvault Command Center Innovation Release.
• Exploitation allows unauthenticated attackers to upload ZIP files containing malicious payloads, which, upon extraction, result in remote code execution (RCE).
• Categorized under CWE-22 (Path Traversal).
• Severity:
• CVSS Score: 10.0 (Critical).
• Impact: Grants attackers full control over compromised systems, allowing widespread malware deployment.
• Affected Versions:
• Commvault Command Center 11.38.0 through 11.38.19.

3. Exploitation Techniques

Yii Framework (CVE-2024-58136)

• Attackers manipulate input validation flaws to circumvent security restrictions.
• Exploited systems can execute malicious PHP scripts, leading to unauthorized access and compromised web applications.

Commvault Command Center (CVE-2025-34028)

• Attackers upload crafted ZIP files with embedded JSP webshells.
• When extracted, these webshells enable persistent control over affected environments, facilitating further exploitation.

4. Mitigation Strategies

A. Apply Security Updates

• Yii Framework: Upgrade to Yii 2.0.52 or later.
• Commvault Command Center: Apply patches updating systems to version 11.38.20 or higher.

B. Restrict Access

• Limit exposure of Yii Framework-based applications to trusted users and secure endpoints.
• Restrict access to Commvault Command Center interfaces using firewall rules and VPN-based access.

C. Monitor for Indicators of Compromise

• Deploy Intrusion Detection Systems (IDS) to flag suspicious activity.
• Audit logs for unauthorized file uploads or attempts to manipulate input validation mechanisms.

5. Federal Compliance Requirements

Binding Operational Directive (BOD) 22-01

• Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by May 20, 2025, ensuring compliance with CISA guidelines.

6. Conclusion

CISA’s inclusion of CVE-2024-58136 (Yii Framework) and CVE-2025-34028 (Commvault Command Center) in its Known Exploited Vulnerabilities (KEV) Catalog underscores the immediate need for patching and enhanced security measures. Organizations relying on these technologies should prioritize remediation efforts, implement access controls, and strengthen network monitoring to prevent exploitation.