CVE-2025-27189: 
Adobe Commerce vulnerability analysis and mitigation

Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-27189. The vulnerability was disclosed on April 8, 2025, and affects multiple versions of Adobe Commerce and Magento Open Source platforms (NVD, Adobe Security).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) weakness (CWE-352) that could be exploited to cause a denial-of-service condition. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, indicating network accessibility, low attack complexity, no privileges required, and user interaction needed (NVD).

If successfully exploited, an attacker could trick a logged-in user into submitting a forged request to the vulnerable application, which may disrupt service availability. The impact is primarily focused on the availability of the service, with no direct impact on confidentiality or integrity (NVD).

Adobe has released security updates to address this vulnerability. Organizations should update to the latest versions of Adobe Commerce and apply appropriate security patches. The fix is available in Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, and 2.4.4-p13 (Adobe Security).