CVE-2025-24411
Published: 11 February 2025
Summary
CVE-2025-24411 is a high-severity Improper Access Control (CWE-284) vulnerability in Adobe Commerce. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to information and system resources, directly countering the improper access control vulnerability that enables security feature bypass.
Requires timely identification, reporting, and correction of system flaws like this CVE through patching and updates, eliminating the improper access control vulnerability.
Limits privileges to only those necessary for tasks, reducing the impact of unauthorized access gained by low-privileged attackers exploiting the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper access control vulnerability in the public-facing Adobe Commerce web application allows low-privileged authenticated attackers to bypass security features for unauthorized access (high confidentiality/integrity impact), directly enabling exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).
NVD Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized…
more
access affecting Confidentiality and Integrity. Exploitation of this issue does not require user interaction.
Deeper analysisAI
CVE-2025-24411 is an Improper Access Control vulnerability (CWE-284) in Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. This flaw enables a security feature bypass, allowing unauthorized access that impacts confidentiality and integrity. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2025-02-11.
A low-privileged attacker with network access can exploit this issue without requiring user interaction. Successful exploitation allows the attacker to bypass security measures, resulting in unauthorized access with high impacts to confidentiality and integrity, but no availability disruption.
Adobe's security bulletin APSB25-08 provides details on mitigation, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html.
Details
- CWE(s)