Cyber Posture

CVE-2025-24407

High

Published: 11 February 2025

Published
11 February 2025
Modified
16 April 2025
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0006 18.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-24407 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, it enables a security feature bypass, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact and low integrity impact.

A low-privileged attacker with network access can exploit this vulnerability without user interaction. Successful exploitation allows the attacker to perform actions beyond their granted permissions, potentially accessing sensitive data (high confidentiality impact) and making limited unauthorized modifications (low integrity impact).

Adobe's security advisory APSB25-08, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html, provides details on mitigation, including recommended patches for affected versions.

Details

CWE(s)
CWE-863

Affected Products

adobe
commerce b2b
1.3.3, 1.3.4, 1.3.5, 1.4.2, 1.5.0 · ≤ 1.3.3

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Incorrect authorization (CWE-863) in public-facing Adobe Commerce allows low-privileged network attackers to bypass permissions for unauthorized data access and limited modifications, directly enabling exploitation of public-facing applications (T1190) and privilege escalation via software vulnerability (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References