What is CVE-2025-24422?

Adobe Commerce versions 2.4.8-beta1 and earlier are impacted by an Improper Access Control vulnerability that allows unauthorized read access. Organizations should prioritize patching to mitigate this risk effectively.

What is the severity of CVE-2025-24422?

CVE-2025-24422 has a severity rating of MEDIUM with a CVSS base score of 6.5.

CVE-2025-24422 | Medium Vulnerability in Adobe Commerce B2B

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. This vulnerability allows low-privileged attackers to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, making it a significant risk for organizations relying on these versions.

The CVSS score for this vulnerability is 6.5, classifying it as medium severity. Organizations should assess the potential impact on their systems as the vulnerability has a high confidentiality impact. The fact that exploitation does not require user interaction increases the urgency for defenders to address this issue.

With respect to the current state of exploitation, there are no public exploits known for this vulnerability, and it is not included in the Known Exploited Vulnerabilities (KEV) catalog. Thus, organizations have a window to remediate before potential exploitation occurs.

Organizations should prioritize patching immediately to mitigate this risk effectively. Regularly reviewing security measures and keeping software up to date is critical in safeguarding against such vulnerabilities.

Vulnerability Details

The vulnerability allows unauthorized access due to improper access control mechanisms implemented in the affected versions of Adobe Commerce. The CVSS vector string for this issue is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating that the attack vector is network-based, with low attack complexity and low privileges required for exploitation.

The affected product, Adobe Commerce B2B, is used widely among e-commerce platforms, making this vulnerability critical for many organizations. The CWE classification is CWE-284, which refers to improper access control.

Technical Analysis

The root cause of this vulnerability lies in the implementation of access controls that do not adequately restrict access to sensitive information. Attackers may leverage this vulnerability over a network, exploiting the low complexity of the attack without requiring any user interaction.

Since the exploitation does not require high privileges, even low-privileged users can potentially gain unauthorized access to confidential data. This vulnerability does not impact the integrity or availability of the system, but the high confidentiality impact poses a significant threat.

Risk & Impact Analysis

Risk to organizations includes unauthorized access to sensitive data, which could lead to data breaches and compliance violations. The potential blast radius of this vulnerability is significant due to the widespread use of Adobe Commerce in e-commerce applications.

Organizations must consider the urgency of addressing this vulnerability based on its CVSS score of 6.5, indicating a medium risk. Regularly updating and patching systems is essential to prevent unauthorized access and maintain the integrity of sensitive information.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions prior to vendor patch are affected, specifically Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. Organizations should consult the vendor for updates and remediation steps.

Mitigation & Remediation

Organizations using affected versions should apply patches immediately to mitigate this vulnerability. Additionally, implementing strict access controls and regularly reviewing security configurations can help reduce the risk of unauthorized access.

For further guidance on securing your applications, consider engaging in application security assessments to identify and remediate similar vulnerabilities.

Detection Guidance

Organizations should monitor logs for unauthorized access attempts and review system configurations for signs of improper access control. Regular audits of user permissions can also help identify any potential weaknesses.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of implementing robust access controls in e-commerce applications. As attackers continue to seek vulnerabilities that allow unauthorized access to sensitive data, organizations need to prioritize security measures.

For organizations looking to strengthen their security posture, ongoing training and awareness are crucial. Consider reviewing our security awareness programs to ensure that teams are well-equipped to handle emerging threats.

Additionally, examining your vulnerability management programs and ensuring they are effective can help mitigate future risks. For more information on how to establish a robust program, refer to our vulnerability management program guide.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-24422: Medium Vulnerability in Adobe Commerce B2B