U.S. CISA adds Yii Framework and Commvault Command Center flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Yii Framework and Commvault Command Center flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions for these flaws:

• CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability
• CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability

The vulnerability CVE-2025-34028 (CVSS score of 10) is a path traversal vulnerability in Commvault Command Center Innovation An unauthenticated attacker can exploit the flaw to upload ZIP files, which, when expanded by the target server, could result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38.

This week, Orange Cyberdefense’s CSIRT warned that threat actors chained two Craft CMS vulnerabilities in recent attacks. Orange experts discovered the flaws while investigating a server compromise.

The two vulnerabilities, tracked as CVE-2025-32432 and CVE-2024-58136 (CVSS score of 9), are a remote code execution (RCE) in Craft CMS and an input validation flaw in the Yii framework used by Craft CMS.

.According to a report published by SensePost, Orange Cyberdefense’s ethical hacking team, threat actors exploited the two vulnerabilities to breach servers and upload a PHP file manager. The attack began with the exploitation of the flaw CVE-2025-32432 by sending a crafted request with a “return URL” that was saved in a PHP session file.

Then, attackers exploited the vulnerability CVE-2024-58136 in the Yii framework used by Craft CMS. The attacker sent a malicious JSON payload, executing PHP code from the session file. This enabled the installation of a PHP-based file manager, further compromising the server.

Both vulnerabilities have been fixed; the flaw CVE-2025-32432 has been addressed with the release of versions 3.9.15, 4.14.15, and 5.6.17. The development team behind Yii addressed the issue with the release of Yii 2.0.52 in April. 9th.

The investigation revealed nearly 35,000 Craft CMS instances using the Onyphe asset database. By applying a nuclei template, researchers identified around 13,000 vulnerable instances connected to approximately 6,300 IP addresses, mostly located in the U.S. Further analysis found about 300 potentially compromised instances based on specific file patterns.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by May 23, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)