Adobe has released an emergency security update (APS25-88) for Adobe Commerce and Magento Open Source, addressing a critical vulnerability (CVE-2025-54236) with a CVSS 9.1 severity score.
2.4.9-alpha2 and earlier
2.4.8-p2 and earlier
2.4.7-p7 and earlier
2.4.6-p12 and earlier
2.4.5-p14 and earlier
2.4.4-p15 and earlier
1.5.3-alpha2 and earlier
1.5.2-p2 and earlier
1.4.2-p7 and earlier
1.3.4-p14 and earlier
1.3.3-p15 and earlier
2.4.9-alpha2 and earlier
2.4.8-p2 and earlier
2.4.7-p7 and earlier
2.4.6-p12 and earlier
2.4.5-p14 and earlier
Adobe has released a hotfix for the vulnerability, which is compatible with all versions of Adobe Commerce and Magento Open Source between 2.4.4 - 2.4.7. The hotfix, and the installation instructions for it, can be found here:
https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397
It is highly recommended that affected users apply the hotfix as soon as possible. While there have not yet been any reports of attacks leveraging this vulnerability, that is likely to change quickly following this public disclosure.
Previous critical vulnerabilities of this nature have resulted in thousands of websites being compromised, with many attacks resulting in payment card information being stolen.
The emergency hotfix, and the upcoming updated versions of Magento when they eventually release, address this vulnerability by performing stricter data validation for constructor parameters in API requests. Any custom API integrations may need to be reviewed to ensure they still function correctly after these changes. More details about the changes to the API can be found here:
https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27501
Although there are no confirmed attacks yet, history shows that critical Magento vulnerabilities are targeted within hours of disclosure. Previous flaws of this nature have resulted in: