CVE-2025-24434
Published: 11 February 2025
Summary
CVE-2025-24434 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Commerce. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing privilege escalation from incorrect authorization flaws.
Applies least privilege to restrict unauthorized elevated access even if authorization checks fail, mitigating session takeover risks.
Remediates the specific authorization vulnerability through timely flaw identification, reporting, and patching as per vendor guidance.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect authorization vulnerability in public-facing Adobe Commerce web app enables remote unauthenticated exploitation for initial access (T1190) and privilege escalation via bypass (T1068), leading to session takeover.
NVD Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this…
more
issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Deeper analysisAI
CVE-2025-24434 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. Published on 2025-02-11, this flaw enables privilege escalation by allowing attackers to bypass security measures and gain unauthorized access.
With a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), the vulnerability is exploitable remotely by unauthenticated attackers without requiring user interaction. Successful exploitation can lead to session takeover, resulting in high confidentiality and integrity impacts.
Adobe's security bulletin APSB25-08, available at https://helpx.adobe.com/security/products/magento/apsb25-08.html, provides guidance on mitigation and patches for affected versions.
Details
- CWE(s)