New critical security vulnerability in Adobe Commerce: what e-commerce teams need to know

By ZEST LOGIC TEAM

New critical security vulnerability in Adobe Commerce: what e-commerce teams need to know

critical security vulnerability has been disclosed in Adobe Commerce and Magento Open Source (CVE-2025-54236), with significant implications for store security. This article walks through what is known so far, which versions are affected, what the risk is, and what steps merchants should take to protect themselves.

What is the vulnerability?

  • Adobe recently announced that the Commerce REST API has a weakness that could allow an attacker to take over customer accounts

  • The technical nature of the issue is classified under “Improper Input Validation / Security Feature Bypass”.

  • According to Adobe, there is no evidence yet of this vulnerability being exploited in the wild.

Severity and Impact

  • The vulnerability carries a CVSS base score of 9.1, which is very high. 

  • It is exploitable without needing authentication or administrative privileges. In other words, an attacker doesn’t need to already have a valid login or be an admin to leverage this flaw. 

  • Because customers’ accounts are involved, sensitive data or functionality could potentially be accessed or manipulated, possibly undermining trust and causing financial or reputational harm.

Affected versions

The vulnerability affects a broad range of versions across Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. Specifically:

  • Adobe Commerce versions 2.4.9-alpha2 and earlier; 2.4.8-p2 and earlier; 2.4.7-p7 and earlier; 2.4.6-p12 and earlier; 2.4.5-p14 and earlier; 2.4.4-p15 and earlier. 

  • Adobe Commerce B2B includes various earlier patch levels up to 1.5.3-alpha2; 1.5.2-p2; 1.4.2-p7; 1.3.4-p14; 1.3.3-p15.

  • Magento Open Source is also in similar version ranges: anything up through 2.4.9-alpha2 / 2.4.8-p2 / 2.4.7-p7 etc. 

Additionally, the Custom Attributes Serializable module (versions 0.1.0 through 0.3.0) is specifically flagged. 

What has been done

  • Adobe has released a hotfix named VULN-32437-2-4-X-patch, which addresses CVE-2025-54236. 

  • For the module “Custom Attributes Serializable”, version 0.4.0 (or higher) fixes the problem. 

  • Adobe has also deployed web application firewall (WAF) rules for merchants using Adobe Commerce on Cloud infrastructure, as a protective measure while patches are being applied. 

What should e-commerce operators do

Given the severity and the possibility that the vulnerability could be exploited without prior credentials, it's important for e-commerce teams to act quickly. Below are recommended steps:

  1. Inventory your versions
    Check your store’s version of Adobe Commerce / Magento Open Source and whether the “Custom Attributes Serializable” module is installed, and at which version.

  2. Apply the hotfix

    • If you use any of the affected versions, apply VULN-32437-2-4-X-patch from Adobe as soon as possible. 

    • For the Custom Attributes Serializable module (v0.1.0-0.3.0), upgrade to v0.4.0 or above. 

  3. Verify patch application

    • For Adobe Commerce on Cloud: verify whether the isolated patch has been applied. Adobe provides instructions, including steps involving the Quality Patches Tool. 

    • For on-premises or self-hosted versions: ensure that hotfixes are correctly installed and tested.

  4. Monitor for signs of compromise

    • Unusual login activity on customer accounts

    • Customer reports of unauthorized access

    • Unexpected behavior via REST API calls

  5. Stay up to date with Adobe security bulletins
    Security is a moving target. Even after patching, being aware of further advisories is essential. 

Why this matters — broader implications

  • Because the vulnerability does not require prior admin credentials, it's more dangerous than many that are limited to privileged access.

  • The ease of exposure via REST API (often broadly used) means that many stores may be vulnerable even if their internal user management is fairly tight.

  • Failure to patch can lead not only to data leakage or account takeover, but potentially to brand damage and loss of customer trust — especially in e-commerce, where customers expect safety and reliability.

Conclusion

This newly disclosed vulnerability (CVE-2025-54236) in Adobe Commerce / Magento Open Source, particularly affecting accounts via REST API, represents a serious risk for stores running out-of-date software. Applying the hotfixes promptly and verifying that all patches are in place are essential steps. Further, store owners should review how their APIs are used, monitor any suspicious behavior, and maintain vigilance via security bulletins and best practices.

Reading next

Common challenges when upgrading Magento 2 to 2.4.8+ (PHP 8.4)

Common challenges when upgrading Magento 2 to 2.4.8+ (PHP 8.4)

Aug 29, 2025
Maksym Dmytrenko
Adobe Commerce CVE-2025-54236: what’s happening after the initial disclosure

Adobe Commerce CVE-2025-54236: what’s happening after the initial disclosure

Sep 26, 2025
Maksym Dmytrenko
contact us

Don’t miss fresh ideas in our new case studies

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.

By clicking on the button, you consent to the processing of personal data and agree to the site’s Privacy Policy.