CVE-2025-24411: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability (CVE-2025-24411) that was disclosed on February 11, 2025. This critical vulnerability could result in a security feature bypass, allowing unauthorized access to protected resources (Adobe Security Bulletin, NVD).

The vulnerability is classified as an Improper Access Control (CWE-284) issue with a CVSS v3.1 base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability requires authentication to exploit and requires administrative privileges. The high severity rating indicates significant potential impact on confidentiality, integrity, and availability of the system (Adobe Security Bulletin).

Successful exploitation of this vulnerability could lead to a security feature bypass, allowing a low-privileged attacker to bypass security measures and gain unauthorized access. The vulnerability affects both confidentiality and integrity of the system, with potential for unauthorized access to protected resources (NVD).

Adobe has released security updates to address this vulnerability. Users are recommended to update to the following versions: Adobe Commerce 2.4.8-beta2 for 2.4.8-beta1, 2.4.7-p4 for 2.4.7-p3 and earlier, 2.4.6-p9 for 2.4.6-p8 and earlier, 2.4.5-p11 for 2.4.5-p10 and earlier, and 2.4.4-p12 for 2.4.4-p11 and earlier (Adobe Security Bulletin).

Security researcher Akash Hamal (akashhamal0x01) was credited with discovering and reporting this vulnerability along with several others in the same security update (Adobe Security Bulletin).