Adobe has released a security update, APSB25-94 (Oct 14, 2025) for Adobe Commerce and Magento Open Source. This patch addresses a critical vulnerability (CVE-2025-54263 to 54267, CVSS 8.8) that could allow unauthenticated attackers to bypass privilege escalation and arbitrary code execution, potentially leading to data theft or full site compromise. All users running affected versions are strongly advised to update immediately.

Affected Versions

The affected versions include various iterations of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. Users of versions before the following are urged to take immediate action:

  • Adobe Commerce: ≤ 2.4.9-alpha2, ≤ 2.4.8-p2, ≤ 2.4.7-p7, ≤ 2.4.6-p12, ≤ 2.4.5-p14, ≤ 2.4.4-p15
  • Adobe Commerce B2B: ≤ 1.5.3-alpha2, ≤ 1.5.2-p2, ≤ 1.4.2-p7, ≤ 1.3.5-p12, ≤ 1.3.4-p14, ≤ 1.3.3-p15
  • Magento Open Source: ≤ 2.4.9-alpha2, ≤ 2.4.8-p2, ≤ 2.4.7-p7, ≤ 2.4.6-p12, ≤ 2.4.5-p14

Solution

Adobe has provided updated versions for both Adobe Commerce and Magento Open Source to address these vulnerabilities. Adobe strongly urges users of affected versions to update immediately to the latest patch release to ensure continued security. After applying the patch, Adobe Commerce B2B users should also update to the latest compatible B2B patch.

Detailed installation instructions are available on Adobe’s website.

Why This Matters

  • Attackers could bypass security features, escalate privileges, or execute arbitrary code on affected Magento/Adobe Commerce installations.
  • Some of the vulnerabilities are rated critical, meaning they carry high risk.
  • Even though Adobe states they are not aware of active exploits in the wild yet, the potential impact is severe, so timely patching is important.
  • The vulnerability affects all supported Magento/Adobe Commerce versions up to certain patches.
  • Adobe has released updates (patches) to remediate these vulnerabilities; systems should be updated to the latest safe version.

Vulnerability Details

The Adobe Security Bulletin APSB25-94 for Magento and Adobe Commerce addresses multiple vulnerabilities, including improper access control, incorrect authorization, and stored cross-site scripting (XSS) issues. These flaws could allow attackers to bypass security restrictions, elevate privileges, or execute arbitrary code on affected systems. While some vulnerabilities require authentication and administrative privileges, others can be exploited without authentication, thereby increasing potential exposure. Adobe has rated several of these vulnerabilities as critical, with CVSS scores ranging from 4.8 to 8.8, and it has released patched versions to mitigate these security risks. Although no active exploits are currently known, prompt patching is strongly recommended to prevent potential attacks.

You can find detailed information here: Adobe Security Bulletin APSB25-94.