Adobe has released an emergency security update (APS25-88) for Adobe Commerce and Magento Open Source, addressing a critical vulnerability (CVE-2025-54236) with a CVSS 9.1 severity score.
What’s the Risk of critical vulnerability CVE-2025-54236?
- The flaw arises from improper input validation in the Commerce REST API.
- It can be exploited without credentials or admin access, making it particularly dangerous.
- Adobe states it enables account takeover, while independent analysis suggests it can also lead to remote code execution (RCE) — giving attackers full control over a site.
- A patch leak prior to release means attackers may already be developing exploits.
Affected versions of Adobe Commerce and Magento by CVE-2025-54236
Adobe Commerce:
2.4.9-alpha2 and earlier
2.4.8-p2 and earlier
2.4.7-p7 and earlier
2.4.6-p12 and earlier
2.4.5-p14 and earlier
2.4.4-p15 and earlier
Adobe Commerce B2B:
1.5.3-alpha2 and earlier
1.5.2-p2 and earlier
1.4.2-p7 and earlier
1.3.4-p14 and earlier
1.3.3-p15 and earlier
Magento Open Source:
2.4.9-alpha2 and earlier
2.4.8-p2 and earlier
2.4.7-p7 and earlier
2.4.6-p12 and earlier
2.4.5-p14 and earlier
Solution
Adobe has released a hotfix for the vulnerability, which is compatible with all versions of Adobe Commerce and Magento Open Source between 2.4.4 - 2.4.7. The hotfix, and the installation instructions for it, can be found here:
https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397
It is highly recommended that affected users apply the hotfix as soon as possible. While there have not yet been any reports of attacks leveraging this vulnerability, that is likely to change quickly following this public disclosure.
Previous critical vulnerabilities of this nature have resulted in thousands of websites being compromised, with many attacks resulting in payment card information being stolen.
The emergency hotfix, and the upcoming updated versions of Magento when they eventually release, address this vulnerability by performing stricter data validation for constructor parameters in API requests. Any custom API integrations may need to be reviewed to ensure they still function correctly after these changes. More details about the changes to the API can be found here:
https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27501
Why You Must Act Now
Although there are no confirmed attacks yet, history shows that critical Magento vulnerabilities are targeted within hours of disclosure. Previous flaws of this nature have resulted in:
- Mass compromises of eCommerce sites
- Payment card data theft
- Long recovery times and reputational damage
Next Steps
- Apply the hotfix immediately in a staging environment, then deploy to production without delay.
- Monitor access and error logs for suspicious activity.
- Review and test any API integrations after patching.
