Cyber Posture

CVE-2025-24411

High

Published: 11 February 2025

Published
11 February 2025
Modified
16 April 2025
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0011 28.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

Security Summary

CVE-2025-24411 is an Improper Access Control vulnerability (CWE-284) in Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. This flaw enables a security feature bypass, allowing unauthorized access that impacts confidentiality and integrity. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2025-02-11.

A low-privileged attacker with network access can exploit this issue without requiring user interaction. Successful exploitation allows the attacker to bypass security measures, resulting in unauthorized access with high impacts to confidentiality and integrity, but no availability disruption.

Adobe's security bulletin APSB25-08 provides details on mitigation, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html.

Details

CWE(s)
CWE-284NVD-CWE-noinfo

Affected Products

adobe
commerce
2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8 · ≤ 2.4.4
adobe
commerce b2b
1.3.3, 1.3.4, 1.3.5, 1.4.2, 1.5.0 · ≤ 1.3.3
adobe
magento
2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8 · ≤ 2.4.4

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The improper access control vulnerability in the public-facing Adobe Commerce web application allows low-privileged authenticated attackers to bypass security features for unauthorized access (high confidentiality/integrity impact), directly enabling exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References