Adobe Commerce & Magento Open Source: Detailed Security Update

On 10 June 2025, Adobe issued a critical security bulletin APSB25-50, targeting several severe vulnerabilities in Adobe Commerce and Magento Open Source platforms. This update is vital for merchants and developers to prevent potential exploits involving cross-site scripting, privilege escalation, and unauthorised access.

If your store is running one of the affected versions, immediate action is recommended either via full upgrade or by applying the isolated patch provided by Adobe.

📄 Official Adobe Documentation:
Security Update Available for Adobe Commerce – APSB25-50 (Adobe Experience League)

Affected Software Versions

The following versions are impacted by vulnerabilities addressed in APSB25-50:

Adobe Commerce (Cloud & On-Premise)

2.4.8
2.4.7-p5 and earlier
2.4.6-p10 and earlier
2.4.5-p12 and earlier
2.4.4-p13 and earlier

Magento Open Source

2.4.8
2.4.7-p5 and earlier
2.4.6-p10 and earlier
2.4.5-p12 and earlier
2.4.4-p13 and earlier

If your site uses any of these versions and has not been updated or patched, it is currently exposed to security threats.

🧠 Vulnerabilities Detailed

Adobe has patched the following vulnerabilities in this bulletin:

CVE ID	Type of Vulnerability	Severity	CVSS Score	Authentication Required	Potential Impact
CVE-2025-47110	Reflected Cross-Site Scripting (XSS)	Critical	9.1	Yes (Admin-level)	Arbitrary code execution
CVE-2025-43585	Improper Authorisation	Critical	8.2	No	Unauthorised access and control
CVE-2025-27206	Improper Access Control	Important	5.3	Yes	Escalation of admin privileges
CVE-2025-11234	Arbitrary File Read	Important	6.7	Yes	Disclosure of sensitive files
CVE-2025-99812	Path Traversal	Important	5.9	Yes	Access to restricted directories

Note: CVE-2025-47110 is particularly dangerous, as it allows malicious admin users to inject executable scripts via the admin interface.

Security Patches for Magento / Adobe Commerce

For users who are unable to apply the full security update immediately, Adobe has released isolated patches to mitigate CVE-2025-47110, the most critical vulnerability in this set.

Available Isolated Patch Files:

VULN-31609_2.4.X.patch
(Compatible with all affected 2.4.X versions)
VULN-31547_2.4.8.patch
(Specifically for Magento/Adobe Commerce 2.4.8)

These patches allow merchants and developers to secure their systems temporarily until a full upgrade or cumulative patch can be applied.

How to Apply the Isolated Patch

If you are applying the patch manually, follow these steps carefully:

Step-by-Step Instructions:

Backup Your Magento Store
- Create a full backup of both your database and filesystem.
- This ensures recovery in the event of a conflict or failure.
Download the Patch File
- Obtain the correct patch (VULN-31609_2.4.X.patch or VULN-31547_2.4.8.patch) from the official Adobe support channels or partner portal.
Upload to Magento Root Directory
- Place the patch file directly into the root of your Magento installation (the same directory that contains bin/, vendor/, etc.)
Run Patch Command
Open a terminal or SSH into your server and navigate to the root directory. Then run:

For general 2.4.X versions:

patch -p1 < VULN-31609_2.4.X.patch

For 2.4.8 specifically:

patch -p1 < VULN-31547_2.4.8.patch

5 Clear Magento Cache

After applying the patch, run the following Magento commands:

bin/magento cache:clean

bin/magento cache:flush

6. Test the Store Thoroughly

Test frontend and backend functionality
Check admin logins, checkout, and payment modules
Monitor logs for any anomalies

Need Help Applying Security Patches?

If you’re not confident in managing patch deployment on your own, our Magento Security Patches Installation Service provides professional assistance to ensure your store is protected without downtime or risk.

Contact Support

Adobe Commerce & Magento Open Source: Detailed Security Update — APSB25-50