CVE-2025-24406
Published: 11 February 2025
Summary
CVE-2025-24406 is a high-severity Path Traversal (CWE-22) vulnerability in Adobe Commerce. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier contain a path traversal vulnerability (CWE-22) that permits improper limitation of a pathname to a restricted directory. The flaw allows an unauthenticated attacker to bypass a security control and modify files stored outside the intended directory, with a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and high integrity impact without requiring privileges or user interaction.
An unauthenticated remote attacker can exploit the issue over the network to alter arbitrary files beyond the restricted directory, achieving a security feature bypass that could undermine application protections or integrity controls. No user interaction or authentication is needed for successful exploitation.
The Adobe advisory APSB25-08 at helpx.adobe.com/security/products/magento/apsb25-08.html addresses the affected Magento/Adobe Commerce releases and directs administrators to apply the corresponding security patches.
EPSS for the CVE rose from a low baseline to a peak of 0.0160 on 2026-01-13 before receding to the current value of 0.0024, indicating that exploitation interest emerged after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3687
Vulnerability details
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this…
more
vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not require user interaction.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability affects a public-facing web application (Adobe Commerce) and can be exploited remotely without authentication (T1190). The ability to modify files outside the restricted directory directly facilitates writing malicious code to deploy a web shell (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal by validating pathname inputs to ensure they stay within restricted directories.
Restricts invalid pathname inputs such as traversal sequences (e.g., '../') to block exploitation attempts.
Remediates the specific path traversal flaw through timely patching of affected Adobe Commerce versions.