EUVD-2025-17708
GHSA-r487-9vv5-75gg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
4Description
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction.
Analysis
Adobe Commerce versions 2.4.8 and earlier contain an improper authorization vulnerability (CWE-285) that allows unauthenticated attackers to bypass security features and gain unauthorized access to sensitive functionality. This vulnerability has a high integrity impact and can be exploited remotely without user interaction, making it a critical priority for Adobe Commerce administrators. The 8.2 CVSS score combined with the network-accessible attack vector and lack of authentication requirements indicates significant real-world risk.
Technical Context
This vulnerability is classified as CWE-285 (Improper Authorization), representing a fundamental flaw in Adobe Commerce's access control mechanisms. The affected product is Adobe Commerce (e-commerce platform), which manages catalogs, orders, customer data, and administrative functions. Affected versions include: 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier. The vulnerability exists in the authorization logic layer, where insufficient validation of user privileges allows attackers to perform actions or access resources they should not be permitted to access. As Adobe Commerce is built on the Magento platform and handles critical business logic, compromised authorization can lead to unauthorized modification of product listings, order data, customer information, or administrative settings. The network-accessible nature (AV:N) indicates no physical access or local system compromise is required.
Affected Products
Adobe Commerce affected versions: 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13, and all earlier versions. Estimated CPE coverage includes: cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:* (versions <=2.4.8). Organizations running any Community Edition or Enterprise Edition of these versions are affected. The vulnerability impacts both cloud-hosted (Adobe Commerce Cloud) and self-hosted deployments. No specific configuration exemptions have been identified, suggesting all installations are vulnerable by default.
Remediation
Immediate actions: (1) Update Adobe Commerce to patched versions released by Adobe addressing CVE-2025-43585 (patch versions above 2.4.8 or subsequent point releases for 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14); (2) Consult Adobe's official security advisory at https://helpx.adobe.com/security/products/magento/apsb25-[XX] for exact patch availability and release dates; (3) Prioritize patching for production environments immediately given unauthenticated remote exploitability; (4) Interim mitigations pending patching may include: network-level access controls restricting untrusted traffic to Adobe Commerce admin/API endpoints, Web Application Firewall (WAF) rules blocking exploitation patterns once publicly documented, and enhanced logging/monitoring of authorization failures and privilege escalation attempts; (5) Verify patch application through version checks and security scanning post-deployment.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today