This vulnerability is an incorrect authorization flaw that lets an attacker bypass security controls and obtain write access to protected resources in Adobe Commerce. An attacker can alter configuration, upload arbitrary files, or perform other write operations that should be restricted, potentially enabling data tampering, privilege escalation, or application compromise. The defect is present in releases 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier, and does not require user interaction. The effect is therefore severe, allowing an attacker to modify critical system behavior or data without needing direct access to a vulnerable account.

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and all earlier releases are impacted. These versions are still used in many on-premises installations and represent a significant set of potentially vulnerable systems.

The CVSS score of 7.5 indicates high severity. Although the EPSS score is not available, the fact that exploitation requires no user interaction and permits unauthorized write operations suggests a high likelihood of real-world impact, especially in environments where write access can influence critical application logic or data integrity. The vulnerability is not listed in the CISA KEV catalog, but its potential to compromise confidentiality, integrity, and availability remains significant. Based on the description, it is inferred that attackers could likely exploit this flaw remotely through exposed commerce APIs or web endpoints, collecting sensitive data or modifying assets and configuration to further their objectives.