CVE-2025-27191: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. The vulnerability was disclosed on April 8, 2025, and has been assigned CVE-2025-27191. This security issue allows attackers to bypass security measures and gain unauthorized access without requiring user interaction (NVD).

The vulnerability has been classified as an Improper Access Control issue (CWE-284). According to the CVSS 3.1 scoring system, it has received a base score of 5.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in low-impact integrity breaches (NVD).

The vulnerability could result in a security feature bypass, allowing attackers to circumvent established security measures. The CVSS scoring indicates that while there is no impact on confidentiality or availability, there is a low impact on integrity. The vulnerability's network accessibility and lack of required user interaction make it particularly concerning for exposed systems (NVD).

Adobe has addressed this vulnerability in their security advisory. Users are advised to update their Adobe Commerce installations to versions newer than those affected (2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2) (Adobe Security).