- Bulletin ID: APSB25-08
- Published: February 11, 2025
- Priority: 1
- Severity: Critical
- CVE Count: 31
Affected Versions
- Adobe Commerce: 2.4.8-beta12.4.7-p3 and earlier2.4.6-p8 and earlier2.4.5-p10 and earlier2.4.4-p11 and earlier
- Adobe Commerce B2B: 1.5.0 and earlier1.4.2-p3 and earlier1.3.5-p8 and earlier1.3.4-p10 and earlier1.3.3-p11 and earlier
- Magento Open Source: 2.4.8-beta12.4.7-p3 and earlier2.4.6-p8 and earlier2.4.5-p10 and earlier2.4.4-p11 and earlier
Vulnerability Details
Total Vulnerabilities: 31
Severity Breakdown:
- Moderate: 3
- Important: 14
- Critical: 14
Key Vulnerabilities:
1. CVE-2025-24406
- Category: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22)
- Impact: Privilege escalation
- Severity: Critical
- CVSS Score: 7.5
- Authentication Required: No
2. CVE-2025-24407
- Category: Incorrect Authorization (CWE-863)
- Impact: Security feature bypass
- Severity: Critical
- CVSS Score: 7.1
- Authentication Required: Yes
3. CVE-2025-24408
- Category: Information Exposure (CWE-200)
- Impact: Privilege escalation
- Severity: Critical
- CVSS Score: 8.1
- Authentication Required: Yes
…and 28 more vulnerabilities
CVE Identifiers
CVE-2025-24418, CVE-2025-24407, CVE-2025-24429, CVE-2025-24421, CVE-2025-24434, CVE-2025-24419, CVE-2025-24427, CVE-2025-24435, CVE-2025-24426, CVE-2025-24428, CVE-2025-24425, CVE-2025-24415, CVE-2025-24412, CVE-2025-24423, CVE-2025-24413, CVE-2025-24438, CVE-2025-24409, CVE-2025-24437, CVE-2025-24406, CVE-2025-24411, CVE-2025-24414, CVE-2025-24416, CVE-2025-24422, CVE-2025-24432, CVE-2025-24436, CVE-2025-24410, CVE-2025-24408, CVE-2025-24417, CVE-2025-24420, CVE-2025-24430, CVE-2025-24424
Read Full Bulletin on Adobe Security Portal →