Adobe Security Bulletin – APSB25-71
On August 12, 2025, Adobe released a scheduled security update for Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. This update addresses several critical and important vulnerabilities. If left unpatched, these issues could allow attackers to:
- Bypass security features
- Escalate privileges (gain unauthorized access)
- Read sensitive files on the system
- Cause application denial-of-service (DoS)
Adobe has confirmed that there are no known exploits in the wild at this time.
Affected Versions
- Adobe Commerce: 2.4.9-alpha1, 2.4.8-p1 and earlier, 2.4.7-p6 and earlier, 2.4.6-p11 and earlier, 2.4.5-p13 and earlier, 2.4.4-p14 and earlier
- Adobe Commerce B2B: 1.5.3-alpha1, 1.5.2-p1 and earlier, 1.4.2-p6 and earlier, 1.3.5-p11 and earlier, 1.3.4-p13 and earlier, 1.3.3-p14 and earlier
- Magento Open Source: 2.4.9-alpha1, 2.4.8-p1 and earlier, 2.4.7-p6 and earlier, 2.4.6-p11 and earlier, 2.4.5-p13 and earlier
Recommended Solution
Adobe strongly recommends updating to the latest patched versions immediately:
- Adobe Commerce: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15
- Adobe Commerce B2B: 1.5.3-alpha2, 1.5.2-p2, 1.4.2-p7, 1.3.4-p14, 1.3.3-p15
- Magento Open Source: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14
These updates are categorized as Priority 2, meaning they should be applied within 30 days to reduce security risk.
Key Vulnerabilities Addressed
- Denial-of-Service (DoS) via Improper Input Validation (Critical)
- Privilege Escalation via Cross-Site Request Forgery (Critical) and Stored XSS (Critical)
- Arbitrary File System Read via Incorrect Authorization (Critical)
- Security Feature Bypass via TOCTOU Race Condition and Path Traversal (Important)
For full details, see Adobeโs official release notes.
Recent Developments:ย
Adobe has identified and solved some of the critical and important vulnerabilities that are associated with the Adobe Commerceโฏ|โฏAPSB25-71. This patch is being displayed as 2.4.8-p2. It is important to note that none of these vulnerabilities have been exploited in the wild at this time. This makes it vital to get these updates completed ASAP to make sure that your store isnโt vulnerable to attack from bad actors.
Here are the following updates needed to keep your site safe:
- Improper Input Validation (CWE-20) CRITICAL
- ย Input validation is a crucial technique used to ensure that both raw data and metadata are safe and appropriate for processing, especially when dealing with structured or nested inputs. It involves checking properties such as size, type, syntax, consistency, and authenticity, as well as ensuring conformance to business rules and correct interpretation of derived values. Errors in calculating or inferring these properties can lead to improper validation and potential security or logic flaws.
- Cross-Site Request Forgery (CSRF) (CWE-352) CRITICAL
- Applications are not able to identify if the user sending a verified request was provided by the the authorized user or another foreign entity
- Incorrect Authorization (CWE-863) CRITICAL
- This exploit takes advantage of incorrect authorization check and then when the action is performed the check is accurate to what is expected.ย
- Cross-site Scripting (Stored XSS) (CWE-79) CRITICAL
- The product fails to clean the user input and malicious scripts could be added to the page leading to security issues.ย
- Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) IMPORTANT
- The resource is check is completed but the resource can possibly change after that is completed and can lead to being outdated and possible be using bad or unsafe information.ย
- Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22) IMPORTANT
- This is an exploitation that targets a pathway underneath a restricted parent directory. It is not suppressing it because of the special elements in the pathname causing them to access the restricted location.ย
Need Help Updating?
Keeping your Adobe Commerce or Magento Open Source site secure is critical for protecting customer data and ensuring smooth operations. If you need assistance applying this update, verifying your siteโs security posture, or planning a broader upgrade, Crimson Agility can help.
ย Contact us today to secure your platform and stay protected.
Best regards,
The Crimson Agility Team
Other Security Articles
- Adobe Commerce & Magento Open Source Security Update | APSB25-71
- Staying Ahead in E-Commerce: Why You Should Upgrade to Adobe Commerce 2.4.7
- Adobe Commerce & Magento Open Source Security Update | APSB24-73 / CVE-2024-45115
- Adobe Commerce & Magento Open Source Security Update | APSB24-61 / CVE-2024-39397
