CVE-2025-27206: 
Adobe Commerce vulnerability analysis and mitigation

Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability (CVE-2025-27206). The vulnerability was discovered and reported by Adobe Systems Incorporated on February 19, 2025. This security issue could result in a security feature bypass, potentially allowing attackers to gain limited write access without requiring user interaction (NVD, CVE).

The vulnerability is classified as an Improper Access Control issue (CWE-284). It has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and has a limited impact on integrity while not affecting confidentiality or availability (NVD).

The vulnerability could result in a security feature bypass, allowing attackers to gain limited write access to affected systems. The CVSS metrics indicate that while there is no impact on confidentiality or availability, there is a low impact on system integrity (NVD).

Adobe has released security updates for affected versions of Adobe Commerce. Users should upgrade to the latest version to mitigate this vulnerability (Adobe Security).