CVE-2025-24406
Published: 11 February 2025
Summary
CVE-2025-24406 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Commerce. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal by validating pathname inputs to ensure they stay within restricted directories.
Restricts invalid pathname inputs such as traversal sequences (e.g., '../') to block exploitation attempts.
Remediates the specific path traversal flaw through timely patching of affected Adobe Commerce versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability affects a public-facing web application (Adobe Commerce) and can be exploited remotely without authentication (T1190). The ability to modify files outside the restricted directory directly facilitates writing malicious code to deploy a web shell (T1100).
NVD Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this…
more
vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not require user interaction.
Deeper analysisAI
CVE-2025-24406 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified as Path Traversal (CWE-22), affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, this issue allows a security feature bypass by enabling access to files outside the intended restricted directory.
An unauthenticated attacker can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Successful exploitation permits the modification of files stored outside the restricted directory, potentially compromising the integrity of critical data or configurations.
Adobe's security bulletin APSB25-08 provides details on the vulnerability, including affected versions and recommended patches, accessible at https://helpx.adobe.com/security/products/magento/apsb25-08.html. Security practitioners should consult this advisory for mitigation guidance.
Details
- CWE(s)