On October 14, 2025, Adobe released a regular security update under the bulletin ID APSB25-94, addressing the critical and important security vulnerabilities in Magento Open Source & Adobe Commerce.
With a priority rating of 2, this security update should be applied promptly (ideally within a few weeks).
Failing to apply may allow attackers to bypass security features, escalate privileges, or execute arbitrary code on affected systems.
Affected Versions
Here is the list of affected versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source:
| Product | Affected Versions |
| Adobe Commerce | 2.4.9-alpha2 and earlier 2.4.8-p2 and earlier 2.4.7-p7 and earlier 2.4.6-p12 and earlier 2.4.5-p14 and earlier 2.4.4-p15 and earlier |
| Adobe Commerce B2B | 1.5.3-alpha2 and earlier 1.5.2-p2 and earlier 1.4.2-p7 and earlier 1.3.5-p12 and earlier 1.3.4-p14 and earlier 1.3.3-p15 and earlier |
| Magento Open Source | 2.4.9-alpha2 and earlier 2.4.8-p2 and earlier 2.4.7-p7 and earlier 2.4.6-p12 and earlier 2.4.5-p14 and earlier |
What Security Vulnerabilities are Addressed?
The Magento APSB25-94 security update resolves five vulnerabilities, including two critical ones that could have severe impacts if exploited.
| Vulnerability Category | Vulnerability Impact | Severity | CVE number(s) |
| Improper Access Control | Security feature bypass | Critical | CVE-2025-54263 |
| Cross-site Scripting (Stored XSS) | Privilege escalation | Critical | CVE-2025-54264 |
| Incorrect Authorization | Security feature bypass | Important | CVE-2025-54265 |
| Cross-site Scripting(Stored XSS) | Arbitrary code execution | Important | CVE-2025-54266 |
| Incorrect Authorization | Privilege escalation | Important | CVE-2025-54267 |
Here’s why these vulnerabilities are very important to fix:
- Improper access control vulnerability leads to a security feature bypass that allows an attacker to achieve a high confidentiality impact on your store.
- The stored XSS vulnerability enables privilege escalation. Letting the attacker add malicious scripts into the admin panel.
- Incorrect authorization allows hackers to remotely access the store without needing to log in to the store.
This update is critical because it patches prevent allowing an unauthenticated attacker to bypass security features to enabling authenticated attackers to fully compromise the administrative backend of your Magento 2 store.
Solution: Update the Magento 2 Versions
Adobe recommends updating to the following versions to handle these vulnerabilities.
| Product | Updated Version |
| Adobe Commerce | 2.4.9-alpha3 for 2.4.9-alpha2 2.4.8-p3 for 2.4.8-p2 and earlier 2.4.7-p8 for 2.4.7-p7 and earlier 2.4.6-p13 for 2.4.6-p12 and earlier 2.4.5-p15 for 2.4.5-p14 and earlier 2.4.4 p16 for 2.4.4-p15 and earlier |
| Adobe Commerce B2B | 1.5.3-alpha3 for 1.5.3-alpha2 1.5.2-p3 for 1.5.2-p2 and earlier 1.4.2-p8 for 1.4.2-p7 and earlier 1.3.4-p13 for 1.3.4-p12 and earlier 1.3.3-p14 for 1.3.3-p13 and earlier 1.3.3-p16 for 1.3.3-p15 and earlier |
| Magento Open Source | 2.4.9-alpha3 for 2.4.9-alpha2 2.4.8-p3 for 2.4.8-p2 and earlier 2.4.7-p8 for 2.4.7-p7 and earlier 2.4.6-p13 for 2.4.6-p12 and earlier 2.4.5-p15 for 2.4.5-p14 and earlier |
Protect Your Store Now!
We strongly recommend that all affected Adobe Commerce and Magento Open Source merchants should immediately take action.
If you’re not comfortable performing these updates yourself, our Magento Security Patches Installation Service provides professional assistance to ensure a secure and seamless update process.
Keep your store secure with the latest Magento 2 patches—add them before it’s too late.
Add Now
