Platform
adobe
Component
magento
Fixed in
2.4.10
CVE-2025-54265 represents an Incorrect Authorization vulnerability affecting Adobe Commerce. This flaw allows an attacker to bypass security measures and gain unauthorized read access to sensitive data. The vulnerability impacts versions from 0.0.0 through 2.4.9-alpha2, inclusive. A patch is available in version 2.4.9-alpha3.
CVE-2025-54265 in Adobe Commerce, with a CVSS score of 5.9, presents a risk of unauthorized data access. This Incorrect Authorization vulnerability allows an attacker to bypass security measures and gain unauthorized read access to resources that should be protected. Affected versions include 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier. Importantly, exploitation of this vulnerability depends on conditions beyond the attacker's control, making it less likely to be exploited, but not impossible. The lack of user interaction makes the vulnerability more concerning as it can occur without the user's knowledge.
Exploitation of CVE-2025-54265 requires specific conditions that are not directly controlled by the attacker. This implies that the vulnerability might only be exploited under particular circumstances, reducing the likelihood of a widespread attack. However, the absence of user interaction simplifies the exploitation process, as no user action is required to trigger the vulnerability. The attacker needs to identify and leverage these conditions to gain unauthorized access. The nature of these conditions has not been publicly disclosed to prevent facilitating exploitation, but system administrators are advised to be vigilant for any unusual activity on their Adobe Commerce systems.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-54265 is to update Adobe Commerce to version 2.4.9-alpha3 or later. This update includes the necessary fixes to address the Incorrect Authorization. It is highly recommended to apply this update as soon as possible to protect your Adobe Commerce store. Additionally, review permission and access configurations to ensure the principle of least privilege is applied. Monitoring system logs for suspicious activity can also help detect and respond to potential exploitation attempts. Keeping your system updated and applying the latest security patches is a fundamental practice for the security of any e-commerce platform.
Apply the latest security update provided by Adobe for Adobe Commerce. Refer to the Adobe security page for more details and specific instructions on how to apply the fix.
Vulnerability analysis and critical alerts directly to your inbox.
Versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier are affected.
Update to Adobe Commerce 2.4.9-alpha3 or later.
No, exploitation does not require user interaction.
It means the system is not correctly validating permissions, allowing unauthorized access.
Consult the official Adobe Commerce documentation and Adobe security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.