Critical Adobe Commerce Security Update APSB25-88: Key Highlights

By /

Adobe released an emergency security patch, APSB25-88, on September 9, 2025, to address the CVE-2025-54236 vulnerability. It’s a critical security issue where the attackers could take over customer accounts through the Commerce REST API (CVE-2025-54236).

The severe vulnerabilities puts your online stores and customer accounts at risk. If left unpatched, attackers could gain unauthorized access to sensitive customer data, potentially leading to financial loss, reputational damage, and compliance violations.

Key Vulnerabilities Fixed in Adobe Commerce Security Update APSB25-88

The CVE-2025-54236 issue caused severe vulnerabilities, including:

  • Attackers could bypass security without authentication
  • CVSS score is 9.1, which is quite high
  • Exploitable over the network, no user interaction required
  • Attackers don’t need credentials or admin privileges to access customer data

This critical vulnerability causes significant security risks, making it essential for businesses to apply the update immediately to prevent potential security breaches.

Affected Versions

Adobe released an emergency security update, APSB25-88, for Adobe Commerce and Magento Open Source to fix the critical vulnerability.

  • Adobe Commerce: 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, 2.4.4-p15 and earlier.
  • Adobe Commerce B2B: 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, 1.3.3-p15 and earlier.
  • Magento Open Source: 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier.

Custom Attributes Serializable Module Update

Adobe Commerce users need to update the custom attributes serializable module from 0.1.0 – 0.3.0 to version 0.4.0 or higher to implement the security update APSB25-88.

To update this module, you need to execute the composer command:

Composer require magento/out-of-process-custom-attributes=0.4.0 –with-dependencies

Version Affected by Custom Attributes Serializable Module Update

Adobe Commerce:

  • 2.4.9-alpha 1, 2.4.9-alpha2
  • 2.4.8, 2.4.8-p1, 2.4.8-p2
  • 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5, 2.4.7-p6, 2.4.7-p7
  • 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p9, 2.4.7-p10, 2.4.6-p11, 2.4.6-p12
  • 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12, 2.4.5-p13, 2.4.5-p14
  • 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11, 2.4.4-p12, 2.4.4-p13, 2.4.4-p14, 2.4.4-p15

Adobe Commerce B2B:

  • 1.5.3-alpha1, 1.5.3-alpha2
  • 1.5.2, 1.5.2-p1, 1.5.2-p2
  • 1.5.1
  • 1.5.0
  • 1.4.2, 1.4.2-p1, 1.4.2-p2, 1.4.2-p3, 1.4.2-p4, 1.4.2-p5, 1.4.2-p6, 1.4.2-p7
  • 1.4.1
  • 1.4.0
  • 1.3.5, 1.3.5-p1, 1.3.5-p2, 1.3.5-p3, 1.3.5-p4, 1.3.5-p5, 1.3.5-p6, 1.3.5-p7, 1.3.5-p8, 1.3.5-p9, 1.3.5-p10, 1.3.5-p12
  • 1.3.4, 1.3.4-p1, 1.3.4-p2, 1.3.4-p3, 1.3.4-p4, 1.3.4-pp5, 1.3.4-p6, 1.3.4-p7, 1.3.4-p8, 1.3.5-p9, 1.3.4-p10, 1.3.4-p11, 1.3.4-p12, 1.3.4-p13, 1.3.4-p14
  • 1.3.3, 1.3.3-p1, 1.3.3-p2, 1.3.3-p3, 1.3.3-p4, 1.3.3-p5, 1.3.3-p6, 1.3.3-p7, 1.3.3-p8, 1.3.3-p9, 1.3.3-p10, 1.3.3-p11, 1.3.3-p12, 1.3.3-p13, 1.3.3-p14, 1.3.3-p15

Magento Open Source

  • 2.4.9-alpha1, 2.4.9-alpha2
  • 2.4.8, 2.4.8-p1, 2.4.8-p2
  • 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5, 2.4.7-p6, 2.4.7-p7
  • 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p9, 2.4.6-p10, 2.4.6-p11, 2.4.6-p12
  • 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12, 2.4.5-p13, 2.4.5-p14

How to Apply Adobe Commerce Security Update APSB25-88

Adobe strongly recommends that Adobe Commerce and Magento Open Source users apply the patch within 24 hours to mitigate critical security risks and minimize exposure to vulnerabilities.

  • Apply the patch right away

Adobe released a hotfix (ID:VULN-32437-2-4-X-patch) that fixes CVE2025-54236. Implement the patch without delay.

  • Adobe Commerce on Cloud users

Adobe has already deployed WAF (Web Application Firewall) rules in its side to block this attack. However, this is not enough. It is strongly recommended to verify your patching strategy and take the necessary actions to address the vulnerability.

  • On-Prem or Non-Cloud users

To prevent this vulnerability, urgent implementation of Adobe’s WAF or Sansec Shield patches is necessary.

  • Sansec dubbed the bug “SessionReaper” and applied the patch swiftly
  • WAF can apply the patch within 24 hours
  • Post-Partch Sanity Check

If you are not able to apply the patch within 24 hours, run a malware scan (e.g., eComscan) and consider rotating your secret crypt key to identify possible compromises.

Don’t leave your store vulnerable! As an Adobe Commerce certified partner, ioVista can apply APSB25-88 immediately and ensure business continuity. Contact us today to secure your store.

Official Link: https://helpx.adobe.com/security/products/magento/apsb25-88.html

Scroll to Top