On June 10, 2025, Adobe released a regular security update (bulletin ID APSB25-50).
The update addresses critical security vulnerabilities in Magento Open Source & Adobe Commerce editions. It has a priority rating of 1, which means it’s the MOST IMPORTANT security update and should be applied as soon as possible.
Failing to apply may allow attackers to bypass security features, escalate privileges, or execute arbitrary code on affected systems.
Affected Versions
The following versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source are affected by the vulnerabilities addressed in this update:
| Product | Affected Versions |
| Adobe Commerce | 2.4.82.4.7-p5 and earlier2.4.6-p10 and earlier2.4.5-p12 and earlier2.4.4-p13 and earlier |
| Adobe Commerce B2B | 1.5.2 and earlier1.4.2-p5 and earlier1.3.5-p10 and earlier1.3.4-p12 and earlier1.3.3-p13 and earlier |
| Magento Open Source | 2.4.82.4.7-p5 and earlier2.4.6-p10 and earlier2.4.5-p12 and earlier |
What Security Vulnerabilities are Addressed?
The Magento APSB25-50 security update resolves five vulnerabilities, including two critical ones that could have severe impacts if exploited.
| Vulnerability Category | Impact | Severity | CVSS Base Score | CVE Number | Notes |
| Cross-site Scripting (Reflected XSS) (CWE-79) | Arbitrary code execution | Critical | 9.1 | CVE-2025-47110 | Requires authentication and admin privileges |
| Improper Authorization (CWE-285) | Security feature bypass | Critical | 8.2 | CVE-2025-43585 | No admin privileges required |
| Improper Access Control (CWE-284) | Security feature bypass | Important | 5.3 | CVE-2025-27206 | Requires authentication and admin privileges |
| Improper Access Control (CWE-284) | Privilege escalation | Important | 6.5 | CVE-2025-27207 | B2B Only, requires authentication and admin privileges |
| Improper Access Control (CWE-284) | Privilege escalation | Important | 6.5 | CVE-2025-43586 | B2B Only, requires authentication and admin privileges |
Here’s why these vulnerabilities are very important to fix:
- Cross-site Scripting (XSS): The hackers/attackers could inject malicious scripts into web pages viewed by users, which could lead to payment information leak, session hijacking, or unauthorized actions within the store’s admin panel.
- Improper Authorization and Access Control: The attackers could bypass security restrictions (e.g., admin login) and perform actions such as modifying store settings, creating discount codes, or accessing customer data.
Therefore, affected stores are at potential risk of customer data leak, financial loss, and overall disruption of their business.
Complete installation with zero data loss or issues
Install NowSolution: Update Magento Version OR Apply Isolated Patch
To address these vulnerabilities, Adobe recommends updating to the following versions:
| Product | Affected Versions | Updated Version |
| Adobe Commerce | 2.4.8 | 2.4.8-p1 |
| 2.4.7-p5 and earlier | 2.4.7-p6 | |
| 2.4.6-p10 and earlier | 2.4.6-p11 | |
| 2.4.5-p12 and earlier | 2.4.5-p13 | |
| 2.4.4-p13 and earlier | 2.4.4-p14 | |
| Magento Open Source | 2.4.8 | 2.4.8-p1 |
| 2.4.7-p5 and earlier | 2.4.7-p6 | |
| 2.4.6-p10 and earlier | 2.4.6-p11 | |
| 2.4.5-p12 and earlier | 2.4.5-p13 | |
| Adobe Commerce B2B | 1.5.2 | 1.5.2-p1 |
| 1.4.2-p5 and earlier | 1.4.2-p6 | |
| 1.3.5-p10 and earlier | 1.3.5-p11 | |
| 1.3.4-p12 and earlier | 1.3.4-p13 | |
| 1.3.3-p13 and earlier | 1.3.3-p14 |
Security Patches for Magento / Adobe Commerce
If you’re not able to update immediately, you can apply the isolated patch for CVE-2025-47110. The following isolated patches have been released by Adobe for Magento and Adobe Commerce:
How to apply?
- Create a backup of your store’s database (to prevent any loss)
- Download the patch file using the above links
- Upload the file to your Magento installation’s root directory
- Then, run the following command to apply the patch
For VULN-31609_2.4.X.patch:
patch -p1 < VULN-31609_2.4.X.patchFor VULN-31547_2.4.8.patch:
patch -p1 < VULN-31547_2.4.8.patchOnce done, clear the Magento cache to reflect the changes.
You can also download the isolated patches from Github and then apply it directly (using instructions given in the readme file).
If you’re not comfortable performing these updates yourself, our Magento Security Patches Installation Service provides professional assistance to ensure a secure and seamless update process.
