What is the CVSS score of CVE-2025-43585?

CVE-2025-43585 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-43585?

Adobe Commerce installations running versions 2.4.8 and earlier are vulnerable to an authorization bypass that could allow attackers to modify data without authentication.. A patch is available.

How to fix or mitigate CVE-2025-43585?

Within 24 hours: Inventory all Adobe Commerce instances and identify those running vulnerable versions (2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 or earlier); enable enhanced monitoring and logging on identified systems. Within 7 days: Implement WAF rules to block suspicious authorization bypass attempts; restrict administrative API access to trusted networks only; review and enforce multi-factor authentication for admin accounts. Within 30 days: Plan upgrade to patched version when available; conduct security audit of systems for evidence of exploitation; consider temporary disabling of non-critical features if patch timeline extends beyond 30 days.

PHP CVE-2025-43585

EUVD-2025-17708 HIGH

Improper Authorization (CWE-285)

2025-06-10 psirt@adobe.com

GHSA-r487-9vv5-75gg

PHP Authentication Bypass Adobe Magento Commerce Commerce B2b

8.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17708

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

CVE Published

Jun 10, 2025 - 16:15 nvd

HIGH 8.2

DescriptionNVD

Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction.

AnalysisAI

Adobe Commerce versions 2.4.8 and earlier contain an improper authorization vulnerability (CWE-285) that allows unauthenticated attackers to bypass security features and gain unauthorized access to sensitive functionality. This vulnerability has a high integrity impact and can be exploited remotely without user interaction, making it a critical priority for Adobe Commerce administrators. The 8.2 CVSS score combined with the network-accessible attack vector and lack of authentication requirements indicates significant real-world risk.

Technical ContextAI

This vulnerability is classified as CWE-285 (Improper Authorization), representing a fundamental flaw in Adobe Commerce's access control mechanisms. The affected product is Adobe Commerce (e-commerce platform), which manages catalogs, orders, customer data, and administrative functions. Affected versions include: 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier. The vulnerability exists in the authorization logic layer, where insufficient validation of user privileges allows attackers to perform actions or access resources they should not be permitted to access. As Adobe Commerce is built on the Magento platform and handles critical business logic, compromised authorization can lead to unauthorized modification of product listings, order data, customer information, or administrative settings. The network-accessible nature (AV:N) indicates no physical access or local system compromise is required.

RemediationAI

Immediate actions: (1) Update Adobe Commerce to patched versions released by Adobe addressing CVE-2025-43585 (patch versions above 2.4.8 or subsequent point releases for 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14); (2) Consult Adobe's official security advisory at https://helpx.adobe.com/security/products/magento/apsb25-[XX] for exact patch availability and release dates; (3) Prioritize patching for production environments immediately given unauthenticated remote exploitability; (4) Interim mitigations pending patching may include: network-level access controls restricting untrusted traffic to Adobe Commerce admin/API endpoints, Web Application Firewall (WAF) rules blocking exploitation patterns once publicly documented, and enhanced logging/monitoring of authorization failures and privilege escalation attempts; (5) Verify patch application through version checks and security scanning post-deployment.

CVE-2025-43585 vulnerability details – vuln.today

Back

PHP CVE-2025-43585

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code