CVE-2025-24434
Published: 11 February 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24434 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, this flaw enables privilege escalation by allowing attackers to bypass security measures and gain unauthorized access.
With a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), the vulnerability is exploitable remotely by unauthenticated attackers without requiring user interaction. Successful exploitation can lead to session takeover, resulting in high confidentiality and integrity impacts.
Adobe's security bulletin APSB25-08, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html, provides guidance on mitigation and patches for affected versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Incorrect authorization vulnerability in public-facing Adobe Commerce web app enables remote unauthenticated exploitation for initial access (T1190) and privilege escalation via bypass (T1068), leading to session takeover.