Platform
php
Component
magento/community-edition
Fixed in
2.4.9
2.4.7-p4
CVE-2025-24406 describes a Path Traversal vulnerability discovered in Magento Community Edition. This flaw allows an unauthenticated attacker to modify files outside of the intended directory, potentially bypassing security controls. The vulnerability impacts versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. A patch is available in version 2.4.7-p4.
Successful exploitation of CVE-2025-24406 could grant an attacker unauthorized access to sensitive system files and configurations. By modifying these files, an attacker could potentially escalate privileges, inject malicious code, or compromise the entire Magento installation. The lack of user interaction required for exploitation significantly increases the risk, as an attacker can remotely trigger the vulnerability without any user action. This vulnerability is particularly concerning given Magento's widespread use in e-commerce, where sensitive customer data and financial information are processed.
CVE-2025-24406 was publicly disclosed on February 11, 2025. The vulnerability's ease of exploitation and the potential impact on e-commerce platforms suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.24% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24406 is to upgrade Magento Community Edition to version 2.4.7-p4 or later. If upgrading immediately is not feasible, consider implementing stricter file access controls and directory permissions to limit the potential impact of a successful exploit. Review and harden your web server configuration to prevent unauthorized file modifications. While a WAF might offer some protection, it is not a substitute for patching the underlying vulnerability. After upgrading, verify the fix by attempting to access files outside the intended directory via a web browser; access should be denied.
Actualice Adobe Commerce a la última versión disponible que incluya la corrección para esta vulnerabilidad de path traversal. Consulte el boletín de seguridad de Adobe (APSB25-08) para obtener más detalles e instrucciones específicas de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24406 is a Path Traversal vulnerability affecting Magento Community Edition versions up to 2.4.7-p3, allowing attackers to potentially modify files outside the intended directory.
You are affected if you are running Magento Community Edition versions 2.4.4 through 2.4.7-p3. Upgrade to 2.4.7-p4 or later to mitigate the risk.
The recommended fix is to upgrade to Magento Community Edition version 2.4.7-p4 or later. If immediate upgrade is not possible, implement stricter file access controls.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official Magento Security Advisories page for the latest information and updates regarding CVE-2025-24406: [https://devdocs.magento.com/security/guides/sa/index.html](https://devdocs.magento.com/security/guides/sa/index.html)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.