CVE-2025-24418
Published: 11 February 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24418 is an Improper Authorization vulnerability (CWE-285) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. This issue enables privilege escalation, allowing low-privileged attackers to bypass security measures and gain unauthorized access. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2025-02-11.
A low-privileged attacker with network access can exploit this vulnerability remotely with low complexity and without requiring user interaction. Successful exploitation results in high impacts to confidentiality and integrity, enabling the attacker to escalate privileges and access restricted resources.
Adobe's security advisory APSB25-08, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html, provides details on the vulnerability and recommended mitigations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an improper authorization vulnerability that directly enables privilege escalation for low-privileged attackers, allowing bypass of security controls to gain unauthorized access. This maps precisely to T1068: Exploitation for Privilege Escalation.