CVE-2025-24418
Published: 11 February 2025
Summary
CVE-2025-24418 is a high-severity Improper Authorization (CWE-285) vulnerability in Adobe Commerce B2B. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the improper authorization flaw in Adobe Commerce by applying vendor patches from APSB25-08 to prevent privilege escalation.
Enforces approved authorizations for access to system resources, directly countering the improper authorization that enables low-privileged attackers to escalate privileges.
Applies least privilege principle to restrict access to only necessary permissions, mitigating the impact of privilege escalation from this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an improper authorization vulnerability that directly enables privilege escalation for low-privileged attackers, allowing bypass of security controls to gain unauthorized access. This maps precisely to T1068: Exploitation for Privilege Escalation.
NVD Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of…
more
this issue does not require user interaction.
Deeper analysisAI
CVE-2025-24418 is an Improper Authorization vulnerability (CWE-285) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. This issue enables privilege escalation, allowing low-privileged attackers to bypass security measures and gain unauthorized access. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2025-02-11.
A low-privileged attacker with network access can exploit this vulnerability remotely with low complexity and without requiring user interaction. Successful exploitation results in high impacts to confidentiality and integrity, enabling the attacker to escalate privileges and access restricted resources.
Adobe's security advisory APSB25-08, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html, provides details on the vulnerability and recommended mitigations.
Details
- CWE(s)