CVE-2025-24407
Published: 11 February 2025
Summary
CVE-2025-24407 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Commerce B2B. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing the incorrect authorization bypass that allows low-privileged attackers to perform unauthorized actions.
Applies least privilege principle to limit low-privileged attackers' ability to access sensitive data or make unauthorized modifications beyond their granted permissions.
Mandates timely identification, reporting, and correction of flaws like this CVE via patches provided in Adobe's APSB25-08 advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect authorization (CWE-863) in public-facing Adobe Commerce allows low-privileged network attackers to bypass permissions for unauthorized data access and limited modifications, directly enabling exploitation of public-facing applications (T1190) and privilege escalation via software vulnerability (T1068).
NVD Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low privileged attacker could exploit this vulnerability to perform actions with permissions that were…
more
not granted leading to both a High impact to confidentiality and Low impact to integrity. Exploitation of this issue does not require user interaction.
Deeper analysisAI
CVE-2025-24407 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, it enables a security feature bypass, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact and low integrity impact.
A low-privileged attacker with network access can exploit this vulnerability without user interaction. Successful exploitation allows the attacker to perform actions beyond their granted permissions, potentially accessing sensitive data (high confidentiality impact) and making limited unauthorized modifications (low integrity impact).
Adobe's security advisory APSB25-08, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html, provides details on mitigation, including recommended patches for affected versions.
Details
- CWE(s)