CVE-2025-2689
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2689 is a critical vulnerability affecting yiisoft Yii2 up to version 2.0.45, specifically in the getIterator function of the symfony\finder\Iterator\SortableIterator.php file. It stems from improper input validation (CWE-20) leading to deserialization (CWE-502). Published on 2025-03-24T07:15:14.010, the issue has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation by an attacker possessing low privileges. With low attack complexity and no user interaction required, successful manipulation can result in limited impacts to confidentiality, integrity, and availability.
Advisories and details on the issue, including the publicly disclosed exploit, are available via VulDB entries (https://vuldb.com/?ctiid.300710, https://vuldb.com/?id.300710, https://vuldb.com/?submit.521709) and a GitHub resource (https://github.com/gaorenyusi/gaorenyusi/blob/main/Yii2.md).
The exploit has been disclosed to the public and may be used, heightening the risk for affected Yii2 deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2025-2689 is a critical remote deserialization vulnerability in the Yii2 web framework (using Symfony Finder), exploitable in public-facing applications to achieve arbitrary code execution, directly mapping to exploitation of public-facing applications for initial access.