Adobe Commerce | Improper Authorization (CWE-285)
Description
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions 2.4.8 and earlier are affected by an Improper Authorization vulnerability allowing security feature bypass with high integrity impact.
Vulnerability
Overview
CVE-2025-43585 is an Improper Authorization vulnerability affecting Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13, and earlier. The vulnerability stems from insufficient authorization checks, which could allow an attacker to bypass implemented security measures and gain unauthorized access. The root cause lies in the inadequate enforcement of access controls within the application's authorization logic [1].
Attack
Vector and Exploitation
The vulnerability can be exploited by an attacker without requiring any user interaction. No special privileges or network position beyond standard access to the affected application is specified, but exploitation could be performed remotely. The vulnerability is classified as a security feature bypass, meaning an attacker can circumvent intended access restrictions [1].
Impact
Assessment
Successful exploitation of CVE-2025-43585 results in a limited impact to confidentiality, but a high impact to integrity. This means an attacker could potentially modify critical data or system configurations without proper authorization, while the exposure of sensitive information remains limited. The attack does not require authentication or user interaction, increasing the potential for automated exploitation [1].
Mitigation
Status
Adobe has issued patches for the affected versions, and users should upgrade to the latest available release to remediate the vulnerability. The official source for the fix is the Adobe Security Bulletin (APSB25-XX) and the Magento Open Source GitHub repository provides the source code for review [1][2]. No workarounds are documented, and the vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
- NVD - CVE-2025-43585
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p6 | 2.4.7-p6 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p11 | 2.4.6-p11 |
magento/community-editionPackagist | < 2.4.5-p13 | 2.4.5-p13 |
Affected products
4- Range: <=2.4.8, <=2.4.7-p5, <=2.4.6-p10, <=2.4.5-p12, <=2.4.4-p13
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p6+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p6
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-r487-9vv5-75ggghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-50.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-43585ghsaADVISORY
News mentions
0No linked articles in our index yet.