Cyber Resilience

CVE-2025-24406

High

Published: 11 February 2025

Published
11 February 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0024 46.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24406 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Commerce. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier contain a path traversal vulnerability (CWE-22) that permits improper limitation of a pathname to a restricted directory. The flaw allows an unauthenticated attacker to bypass a security control and modify files stored outside the intended directory, with a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and high integrity impact without requiring privileges or user interaction.

An unauthenticated remote attacker can exploit the issue over the network to alter arbitrary files beyond the restricted directory, achieving a security feature bypass that could undermine application protections or integrity controls. No user interaction or authentication is needed for successful exploitation.

The Adobe advisory APSB25-08 at helpx.adobe.com/security/products/magento/apsb25-08.html addresses the affected Magento/Adobe Commerce releases and directs administrators to apply the corresponding security patches.

EPSS for the CVE rose from a low baseline to a peak of 0.0160 on 2026-01-13 before receding to the current value of 0.0024, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this…

more

vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not require user interaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The path traversal vulnerability affects a public-facing web application (Adobe Commerce) and can be exploited remotely without authentication (T1190). The ability to modify files outside the restricted directory directly facilitates writing malicious code to deploy a web shell (T1100).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34653Same product: Adobe Commerce
CVE-2026-34645Same product: Adobe Commerce
CVE-2026-21309Same product: Adobe Commerce
CVE-2026-21289Same product: Adobe Commerce
CVE-2026-34646Same product: Adobe Commerce
CVE-2025-24409Same product: Adobe Commerce
CVE-2026-34647Same product: Adobe Commerce
CVE-2026-34648Same product: Adobe Commerce
CVE-2026-21284Same product: Adobe Commerce
CVE-2025-24438Same product: Adobe Commerce

Affected Assets

adobe
commerce
2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8 · ≤ 2.4.4
adobe
commerce b2b
1.3.3, 1.3.4, 1.3.5, 1.4.2, 1.5.0 · ≤ 1.3.3
adobe
magento
2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8 · ≤ 2.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal by validating pathname inputs to ensure they stay within restricted directories.

prevent

Restricts invalid pathname inputs such as traversal sequences (e.g., '../') to block exploitation attempts.

prevent

Remediates the specific path traversal flaw through timely patching of affected Adobe Commerce versions.

References