News

Adobe Issues Critical Security Update for Adobe Commerce and Magento Open Source (APSB25-71)

Foreword

Adobe has released a new security update for Adobe Commerce and Magento Open Source, addressing several critical and important vulnerabilities that could pose serious risks to online retailers. The update, published on 12 August 2025 under Bulletin ID APSB25-71, is assigned a priority rating of 2, meaning that while exploitation has not yet been observed in the wild, administrators should still update as soon as possible.

Summary of the Security Update

‍

The latest patch resolves multiple vulnerabilities which, if exploited, could lead to:

Security feature bypass
Privilege escalation
Arbitrary file system read
Application denial-of-service

Adobe confirmed that no active exploits are currently known, but the severity of the vulnerabilities makes timely patching essential for all affected platforms.

‍

Affected Versions

‍

The vulnerabilities affect a broad range of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source versions:

Adobe Commerce: 2.4.9-alpha1, 2.4.8-p1 and earlier, 2.4.7-p6 and earlier, 2.4.6-p11 and earlier, 2.4.5-p13 and earlier, 2.4.4-p14 and earlier.
Adobe Commerce B2B: 1.5.3-alpha1, 1.5.2-p1 and earlier, 1.4.2-p6 and earlier, 1.3.5-p11 and earlier, 1.3.4-p13 and earlier, 1.3.3-p14 and earlier.
Magento Open Source: 2.4.9-alpha1, 2.4.8-p1 and earlier, 2.4.7-p6 and earlier, 2.4.6-p11 and earlier, 2.4.5-p13 and earlier.

‍

Available Updates and Solutions

‍

Adobe strongly recommends updating to the latest versions immediately. The patched releases include:

Adobe Commerce: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15.
Adobe Commerce B2B: 1.5.3-alpha2, 1.5.2-p2, 1.4.2-p7, 1.3.4-p14, 1.3.3-p15.
Magento Open Source: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14.

All patches are categorised with Priority Rating 2, which means administrators should apply them at the earliest opportunity to mitigate risk.

Vulnerability Details

‍

The update addresses several vulnerabilities with varying severity ratings:

Improper Input Validation (CWE-20) – Application denial-of-service, Critical (CVE-2025-49554).
Cross-Site Request Forgery (CSRF, CWE-352) – Privilege escalation, Critical (CVE-2025-49555).
Incorrect Authorisation (CWE-863) – Arbitrary file system read, Critical (CVE-2025-49556).
Stored Cross-Site Scripting (XSS, CWE-79) – Privilege escalation, Critical (CVE-2025-49557).
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) – Security feature bypass, Important (CVE-2025-49558).
Path Traversal (CWE-22) – Security feature bypass, Important (CVE-2025-49559).

These vulnerabilities could enable attackers to escalate privileges, access restricted files, bypass security controls, or disrupt services. While some issues require administrative access to exploit, others do not, making the risk of exploitation higher.

What Ecommerce Businesses Should Do Next

‍

If your business relies on Adobe Commerce or Magento Open Source, updating your installation immediately should be a top priority. Delaying the patch leaves your store vulnerable to attacks that could result in data loss, site downtime, or unauthorised access to sensitive information.

‍

Need help with patching your store? Contact us to see how we can help!

Copy Link to Share

Copied

Sepideh Masihpour

Content Marketing Executive

You may be interested in...

Amazon Returns to Google Shopping Internationally, but Not in the US

News

Online Safety Act 2023: What It Means for Ecommerce

Insight

Prime Day First-Day Sales Down 41 Percent After Expansion to Four-Day Event

News