CVE-2025-24409
Published: 11 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24409 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, it enables a security feature bypass, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to significant confidentiality impact and minor integrity impact.
The vulnerability can be exploited by a remote attacker requiring no privileges or user interaction. Attackers can leverage it over the network with low complexity to bypass security measures, gain unauthorized access, compromise high-impact confidentiality (such as accessing sensitive data), and achieve low-impact integrity modifications.
Adobe's security advisory provides details on mitigation; refer to https://helpx.adobe.com/security/products/magento/apsb25-08.html for patches and recommended actions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Incorrect authorization vulnerability in public-facing Adobe Commerce app enables remote unauthorized access without privileges, directly mapping to exploitation of public-facing applications for initial access.