Adobe has recently issued a critical security bulletin for its Adobe Commerce and Magento Open Source platforms. This post will detail the specifics of the new update, outline the potential risks it helps mitigate, and share practical steps users can take to strengthen their store’s security. The security update, identified as APSB25-71, was released on August 12, 2025, addressing several high-severity vulnerabilities in Adobe Commerce and Magento Open Source.
This update addresses critical and important vulnerabilities that, if exploited, could result in:
- Security feature bypass
- Privilege escalation
- Arbitrary file system read
- Application denial-of-service (DoS)
Adobe currently has no reports of active exploits in the wild targeting these issues.
Affected Versions
Affected versions include, but are not limited to:
- Adobe Commerce 2.4.x (specific patch releases such as 2.4.5‑p14, 2.4.7‑p6, and the latest available)
- Magento Open Source versions corresponding to those of Adobe Commerce
Solution
Adobe has provided updated versions for both Adobe Commerce and Magento Open Source to address these vulnerabilities. Adobe strongly urges users of affected versions to update immediately to the latest patch release to ensure continued security. After applying the patch, Adobe Commerce B2B users should also update to the latest compatible B2B patch.
Detailed installation instructions are available on Adobe’s website.
Why This Matters
- Proactive defense: These vulnerabilities could be exploited to undermine authentication, escalate privileges, and cause denial-of-service problems.
- No active exploits, but the severity warrants swift action to mitigate risk.
- Broader impact: Arbitrary file system reads and privilege escalation can expose sensitive data and compromise system integrity.
Vulnerability Details
This security update mitigates both critical and important vulnerabilities in Adobe Commerce and Magento Open Source, with no known exploitation in the wild at this time.
The addressed vulnerabilities fall into the following categories:
- Improper Input Validation (CWE-20) – may enable application denial-of-service, with no authentication or user interaction required (CVSS 3.1: 7.5) – CVE‑2025‑49554.
- Cross-Site Request Forgery (CSRF) (CWE-352) – could allow privilege escalation, requiring authentication (CVSS 3.1: 8.1) – CVE‑2025‑49555.
- Incorrect Authorization (CWE-863) – allows arbitrary file system read, without user interaction and no authentication needed (CVSS 3.1: 7.5) – CVE‑2025‑49556
You can find detailed information here: Adobe Security Bulletin APSB25-71.
