CVE-2025-24406
Published: 11 February 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-24406 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified as Path Traversal (CWE-22), affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, this issue allows a security feature bypass by enabling access to files outside the intended restricted directory.
An unauthenticated attacker can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Successful exploitation permits the modification of files stored outside the restricted directory, potentially compromising the integrity of critical data or configurations.
Adobe's security bulletin APSB25-08 provides details on the vulnerability, including affected versions and recommended patches, accessible at https://helpx.adobe.com/security/products/magento/apsb25-08.html. Security practitioners should consult this advisory for mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The path traversal vulnerability affects a public-facing web application (Adobe Commerce) and can be exploited remotely without authentication (T1190). The ability to modify files outside the restricted directory directly facilitates writing malicious code to deploy a web shell (T1100).