What is the CVSS score of CVE-2025-43586?

CVE-2025-43586 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Magento are affected by CVE-2025-43586?

Adobe Commerce installations are vulnerable to privilege escalation attacks that allow low-privileged users to gain unauthorized administrative access without requiring user interaction.

How to fix or mitigate CVE-2025-43586?

Within 24 hours: Inventory all Adobe Commerce instances and identify affected versions (2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 or earlier). Within 7 days: Implement network segmentation to restrict administrative access, enforce multi-factor authentication for all admin accounts, and enable comprehensive logging of privilege escalation attempts. Within 30 days: Plan and execute upgrade to patched versions when available, or migrate to a supported version with security updates.

Magento CVE-2025-43586

EUVD-2025-17705 HIGH

Improper Access Control (CWE-284)

2025-06-10 psirt@adobe.com

Privilege Escalation Adobe Magento Commerce Commerce B2b

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17705

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

CVE Published

Jun 10, 2025 - 16:15 nvd

HIGH 8.1

DescriptionNVD

Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized elevated access. Exploitation of this issue does not require user interaction.

AnalysisAI

A remote code execution vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.

Technical ContextAI

CWE-284 (Improper Access Control). CVSS 8.1 indicates high severity.

RemediationAI

Monitor vendor channels for patch availability.

CVE-2025-43586 vulnerability details – vuln.today

Back