CVE-2025-27192
LOWCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Description
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this issue does not require user interaction.
Analysis
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.
Technical Context
This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this issue does not require user interaction. Affected products include: Adobe Commerce, Adobe Commerce B2B, Adobe Magento.
Affected Products
Adobe Commerce, Adobe Commerce B2B, Adobe Magento.
Remediation
A vendor patch is available. Apply the latest security update as soon as possible. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today