[APSB25-88] Adobe Commerce/Magento Security Patches

On September 9, 2025, Adobe released a security update bulletin ID APSB25-88.

An issue in Adobe Commerce was brought to Adobe’s notice, where an attacker could take over a customer account through the Commerce REST API (CVE-2025-54236). Although Adobe has not found any evidence for this vulnerability yet, immediate action is still recommended by experts to prevent potential attacks. 

APSB25-88 Vulnerability Details

The vulnerability is categorized as Improper Input Validation (CWE-20).

If the system fails to check/filter the data entered by the users, it lets attackers manipulate it. The impact of this flaw is a security feature bypass, allowing a hacker to get around the system’s security defenses. 

The severity of this vulnerability is rated as critical, with a concerning aspect that it requires no authentication and no administrative privileges to exploit, meaning any unauthenticated attacker could potentially take advantage of it without needing to log in or have any special permissions.

Solution to Fix the Vulnerabilities + Affected Versions 

The solution is to apply the hotfix VULN-32437-2-4-X-patch to all Adobe Commerce and Magento Open Source versions after 2.4.4.

The update is categorized with a priority rating of 2, making it essential to install it within a few days.

Below is a list of affected versions for which this update is critical:

ProductAffected Version
Adobe Commerce– 2.4.9-alpha2 and earlier
– 2.4.8-p2 and earlier
– 2.4.7-p7 and earlier
– 2.4.6-p12 and earlier
– 2.4.5-p14 and earlier
– 2.4.4-p15 and earlier
Adobe Commerce B2B– 1.5.3-alpha2 and earlier
– 1.5.2-p2 and earlier
– 1.4.2-p7 and earlier
– 1.3.4-p14 and earlier
– 1.3.3-p15 and earlier
Magento Open Source– 2.4.9-alpha2 and earlier
– 2.4.8-p2 and earlier
– 2.4.7-p7 and earlier
– 2.4.6-p12 and earlier
– 2.4.5-p14 and earlier

How to Apply The Hotfix Solution in Your Store? 

For Adobe Commerce on Cloud Infrastructure

  • Download the patch zip file and unzip it.
  • Create a directory named m2-hotfixes in your project root.
  • Copy the %patch_name%.composer.patch file(s) to a new directory called  m2-hotfixes. 
  • Add the changes, commit, and push your code.  

For Adobe Commerce on-premises & Magento Open Source

  • Upload the patch to your Adobe Commerce on-premises or Magento Open Source root directory.
  • Run the following SSH command to apply the patch:
patch -p1 < %patch_name%.composer.patch
  • If the command does not work, try using -p2 instead of -p1 )
  • Refresh the cache in the Admin under System > Cache Management.

Final thoughts: Act Now!

Take the right measure and update the patch today to avoid giving any access to hackers in the future. 

Magento 2 Security Patches Installation

Keep your store secure with the latest Magento 2 patches—add them before it’s too late.

Add Now
Magento Security Patches Installation Service
Sanjay Jethva

Article by

Sanjay Jethva

Sanjay is the co-founder and CTO of Meetanshi with hands-on expertise with Magento since 2011. He specializes in complex development, integrations, extensions, and customizations. Sanjay is one the top 50 contributor to the Magento community and is recognized by Adobe. His passion for Magento 2 and Shopify solutions has made him a trusted source for...