CVE-2025-24425: 
PHP vulnerability analysis and mitigation

CVE-2025-24425 is a Business Logic Error vulnerability affecting Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The vulnerability was disclosed on February 11, 2025, and could result in a security feature bypass. This vulnerability allows an attacker to circumvent intended security mechanisms by manipulating the logic of the application's operations, potentially causing limited data modification (Adobe Security).

The vulnerability is classified as CWE-840 (Business Logic Errors) with a CVSS base score of 5.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability can be exploited remotely and does not require user interaction. According to the technical assessment, no authentication is required to exploit this vulnerability (Adobe Security).

If exploited, this vulnerability could lead to limited data modification through security feature bypass. The impact is primarily focused on the integrity of the system, with no direct effect on confidentiality or availability as indicated by the CVSS metrics (Adobe Security).

Adobe has released security updates to address this vulnerability. Users are recommended to update to the following versions: 2.4.8-beta2 for 2.4.8-beta1, 2.4.7-p4 for 2.4.7-p3 and earlier, 2.4.6-p9 for 2.4.6-p8 and earlier, 2.4.5-p11 for 2.4.5-p10 and earlier, or 2.4.4-p12 for 2.4.4-p11 and earlier (Adobe Security).

The vulnerability was responsibly disclosed by security researcher Akash Hamal (akashhamal0x01), who worked with Adobe to help protect their customers (Adobe Security).