CVE-2025-24409
Published: 11 February 2025
Summary
CVE-2025-24409 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Commerce. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to information and resources, directly preventing incorrect authorization vulnerabilities that bypass security features.
Requires timely identification, reporting, and correction of flaws like this authorization bypass in affected Adobe Commerce versions via patching.
Applies least privilege to limit the scope and impact of unauthorized access gained through the authorization bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect authorization vulnerability in public-facing Adobe Commerce app enables remote unauthorized access without privileges, directly mapping to exploitation of public-facing applications for initial access.
NVD Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading…
more
to both a High impact to confidentiality and Low impact to integrity. Exploitation of this issue does not require user interaction.
Deeper analysisAI
CVE-2025-24409 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, it enables a security feature bypass, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to significant confidentiality impact and minor integrity impact.
The vulnerability can be exploited by a remote attacker requiring no privileges or user interaction. Attackers can leverage it over the network with low complexity to bypass security measures, gain unauthorized access, compromise high-impact confidentiality (such as accessing sensitive data), and achieve low-impact integrity modifications.
Adobe's security advisory provides details on mitigation; refer to https://helpx.adobe.com/security/products/magento/apsb25-08.html for patches and recommended actions.
Details
- CWE(s)