A critical vulnerability, officially designated as CVE-2025-47110, has been recently identified in Magento (Adobe Commerce), prompting Adobe to issue urgent updates. This security issue is significant because it directly impacts Magento’s administration panel, which is the heart of managing an online store.
Let’s dive into what this means for store owners and administrators, even if you aren’t a Magento expert.
What exactly is this vulnerability?
At its core, this issue is commonly referred to as a stored Cross-Site Scripting (XSS) vulnerability. Don’t let the technical term scare you—it essentially means that someone with high-level admin access can insert harmful scripts (like malicious JavaScript code) into the Magento backend.
Here’s how the attack typically unfolds:
-
A user with administrative privileges (often compromised or misused accounts) enters harmful code into forms or fields in the Magento admin interface.
-
Once this happens, any admin user who visits certain backend pages might unknowingly trigger that malicious script.
-
These scripts could then perform actions like stealing login details, modifying store settings, or even completely hijacking the site.
Real-world signs: issues with your admin panel
One practical symptom observed in recent research is related to Magento’s side or top navigation menu. Victims of this attack might suddenly find that their menu bar is missing, distorted, or behaving unpredictably. This unexpected behavior can be a red flag indicating that the malicious script is active in the backend.
However, the potential harm extends far beyond just visual glitches. Malicious scripts could silently harvest sensitive information or even open a gateway for further, deeper intrusions into your system.
How severe is this threat?
This vulnerability has been rated as critical, with a severity score of 9.1 out of 10 by security experts. This high score reflects the ease of exploitation (even though it requires some admin-level access) and the potentially devastating impact it can have on your online store, data security, and business reputation.
Which Magento versions are vulnerable?
The issue affects a wide range of Magento versions, specifically:
-
Magento Open Source and Adobe Commerce versions:
2.4.8
2.4.7-p5 and earlier
2.4.6-p10 and earlier
2.4.5-p12 and earlier
2.4.4-p13 and earlier -
Adobe Commerce B2B:
1.5.2 and earlier
1.4.2-p5 and earlier
1.3.5-p10 and earlier
1.3.4-p12 and earlier
1.3.3-p13 and earlier
Adobe has released immediate security updates (under bulletin APSB25-50) to resolve this issue. Store owners can approach this in two ways:
-
Full upgrade: Update your Magento to a secure version like 2.4.9-alpha1 or specific security patches like 2.4.8-p1, 2.4.7-p6, etc.
-
Quick patch: If a full upgrade isn’t immediately feasible, Adobe has provided an isolated patch (VULN-31609_2.4.X.patch) that specifically addresses this vulnerability.
What’s the fix?
Adobe strongly urges store owners to apply these patches as soon as possible.
If you run a Magento-based store, here are practical, immediate steps you can take:
-
Apply patches immediately. Prioritize this fix to avoid potentially devastating outcomes.
-
Monitor your admin panel closely. Watch for visual glitches or unexpected changes, especially issues with menu bars.
-
Secure admin accounts. Regularly update passwords and limit admin access to trusted individuals.
-
Review installed extensions regularly. Keep third-party modules updated and remove unused or untrusted ones.
Stay safe, keep your store secure, and make sure to share this information with your team and community.
