U.S. CISA Adds Yii Framework and Commvault Command Center Flaws to Its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the ongoing threat landscape facing organizations worldwide. Among these additions are flaws in popular software frameworks and enterprise solutions.
Commvault Command Center Flaw: Critical Path Traversal Vulnerability
CISA has added a critical path traversal vulnerability in Commvault Command Center (CVE-2025-34028) to its KEV catalog. This flaw allows an unauthenticated attacker to upload ZIP files, which can lead to Remote Code Execution when expanded by the target server. The vulnerability affects Commvault Command Center Innovation Release 11.38.
According to Orange Cyberdefense's CSIRT, threat actors have exploited this flaw in recent attacks, chaining two Craft CMS vulnerabilities to breach servers and compromise infrastructure. The compromised instances are mostly located in the U.S., with around 35,000 Craft CMS instances using the Onyphe asset database identified.
Yii Framework Flaw: Remote Code Execution Vulnerability
CISA has also added a remote code execution (RCE) vulnerability in the Yii framework used by Craft CMS (CVE-2025-32432) to its KEV catalog. This flaw allows attackers to execute PHP code from a session file, leading to potential exploitation.
Craft CMS Flaw: Input Validation Vulnerability
The second vulnerability added to the catalog is an input validation flaw in Craft CMS (CVE-2024-58136). This flaw enables threat actors to execute arbitrary PHP code, further compromising servers and infrastructure.
According to Orange Cyberdefense's ethical hacking team, SensePost, the attack began with exploiting the CVE-2025-32432 vulnerability, followed by exploiting the CVE-2024-58136 vulnerability in the Yii framework. This enabled the installation of a PHP-based file manager, further compromising the server.
Patch Availability and Recommendations
Both vulnerabilities have been fixed: the flaw CVE-2025-32432 has been addressed with the release of versions 3.9.15, 4.14.15, and 5.6.17, while the development team behind Yii released Yii 2.0.52 in April to address the issue.
Experts recommend that organizations review the KEV catalog and address the identified vulnerabilities in their infrastructure to protect against attacks exploiting these flaws. Federal agencies have until May 23, 2025, to fix the vulnerabilities as per CISA's Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.
Conclusion
The addition of these vulnerabilities to the KEV catalog highlights the ongoing threat landscape facing organizations worldwide. It is essential for organizations to stay vigilant and address these identified vulnerabilities to prevent potential exploitation.
Follow me on Twitter: @securityaffairs, Facebook, and Mastodon for the latest updates on cybersecurity threats and vulnerabilities.
References:
CVE-2025-32432, CVE-2024-58136, and CVE-2025-34028