Plattform
php
Komponente
magento/community-edition
Behoben in
2.4.9
2.4.7-p4
CVE-2025-24406 describes a Path Traversal vulnerability discovered in Magento Community Edition. This flaw allows an unauthenticated attacker to modify files outside of the intended directory, potentially bypassing security controls. The vulnerability impacts versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. A patch is available in version 2.4.7-p4.
Successful exploitation of CVE-2025-24406 could grant an attacker unauthorized access to sensitive system files and configurations. By modifying these files, an attacker could potentially escalate privileges, inject malicious code, or compromise the entire Magento installation. The lack of user interaction required for exploitation significantly increases the risk, as an attacker can remotely trigger the vulnerability without any user action. This vulnerability is particularly concerning given Magento's widespread use in e-commerce, where sensitive customer data and financial information are processed.
CVE-2025-24406 was publicly disclosed on February 11, 2025. The vulnerability's ease of exploitation and the potential impact on e-commerce platforms suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
E-commerce businesses running Magento Community Edition versions 2.4.4 through 2.4.7-p3 are at significant risk. Specifically, organizations using legacy Magento installations with outdated security practices and those relying on shared hosting environments are particularly vulnerable, as they may have limited control over server configurations and file permissions.
• php: Review web server access logs for unusual file access attempts, particularly those targeting files outside the intended web root directory. Look for requests containing path traversal sequences like ../.
grep '../' /var/log/apache2/access.log• php: Examine Magento's file system permissions to ensure that only authorized users and processes have write access to critical files and directories.
find /var/www/magento -type d -perm -2 -print• generic web: Monitor for unexpected file modifications within the Magento installation directory. Use file integrity monitoring tools to detect unauthorized changes. • generic web: Check response headers for any signs of unauthorized file access or disclosure.
disclosure
Exploit-Status
EPSS
0.24% (46% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-24406 is to upgrade Magento Community Edition to version 2.4.7-p4 or later. If upgrading immediately is not feasible, consider implementing stricter file access controls and directory permissions to limit the potential impact of a successful exploit. Review and harden your web server configuration to prevent unauthorized file modifications. While a WAF might offer some protection, it is not a substitute for patching the underlying vulnerability. After upgrading, verify the fix by attempting to access files outside the intended directory via a web browser; access should be denied.
Actualice Adobe Commerce a la última versión disponible que incluya la corrección para esta vulnerabilidad de path traversal. Consulte el boletín de seguridad de Adobe (APSB25-08) para obtener más detalles e instrucciones específicas de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-24406 is a Path Traversal vulnerability affecting Magento Community Edition versions up to 2.4.7-p3, allowing attackers to potentially modify files outside the intended directory.
You are affected if you are running Magento Community Edition versions 2.4.4 through 2.4.7-p3. Upgrade to 2.4.7-p4 or later to mitigate the risk.
The recommended fix is to upgrade to Magento Community Edition version 2.4.7-p4 or later. If immediate upgrade is not possible, implement stricter file access controls.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official Magento Security Advisories page for the latest information and updates regarding CVE-2025-24406: [https://devdocs.magento.com/security/guides/sa/index.html](https://devdocs.magento.com/security/guides/sa/index.html)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.