CVE-2025-27206
Magento Improper Access Control leads to security feature bypass
5.3
MEDIUM
CVSS 3.1
EPSS 0.71%
Description
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.
How to fix CVE-2025-27206
To remediate CVE-2025-27206, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.7-p6 or later
- —no fix listed
Is CVE-2025-27206 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.4.7-beta1, < 2.4.7-p6
- from 0, <= 2.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |