CVE-2025-54263 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-54263

CVE-2025-54263

October 14, 2025

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require user interaction.

Affected Packages

magento/community-edition (PHP):

Affected version(s) >=2.4.4-p1 <2.4.4-p16

Fix Suggestion:

Update to version 2.4.4-p16

magento/community-edition (PHP):

Affected version(s) >=dev-api-changes-develop-staging <2.4.6-p13

Fix Suggestion:

Update to version 2.4.6-p13

magento/community-edition (PHP):

Affected version(s) >=2.4.8-p1 <2.4.8-p3

Fix Suggestion:

Update to version 2.4.8-p3

magento/community-edition (PHP):

Affected version(s) >=2.4.5-p1 <2.4.5-p15

Fix Suggestion:

Update to version 2.4.5-p15

magento/community-edition (PHP):

Affected version(s) >=2.4.7-p1 <2.4.7-p8

Fix Suggestion:

Update to version 2.4.7-p8

magento/community-edition (PHP):

Affected version(s) >=2.4.8-beta1 <2.4.8-p3

Fix Suggestion:

Update to version 2.4.8-p3

magento/community-edition (PHP):

Affected version(s) >=2.4.9-alpha1 <2.4.9-alpha3

Fix Suggestion:

Update to version 2.4.9-alpha3

magento/community-edition (PHP):

Affected version(s) >=2.4.7-beta1 <2.4.7-p8

Fix Suggestion:

Update to version 2.4.7-p8

magento/community-edition (PHP):

Affected version(s) >=2.4.6-p1 <2.4.6-p13

Fix Suggestion:

Update to version 2.4.6-p13

Related Resources (3)

https://github.com/magento/magento2

https://nvd.nist.gov/vuln/detail/CVE-2025-54263

https://helpx.adobe.com/security/products/magento/apsb25-94.html

Do you need more information?

CVSS v4

Base Score:

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Weakness Type (CWE)

Incorrect Authorization

EPSS

Base Score:

0.11