Action Required: Critical Security Update Available for Adobe Commerce (APSB25-88)
Updated on September 18, 2025
We were recently made aware by independent security researchers of an issue in Adobe Commerce where an attacker could take over customer accounts through the Commerce REST API (CVE-2025-54236).
Adobe has no evidence of this vulnerability being exploited in the wild.
Adobe has released a security bulletin addressing this vulnerability, which can be found here.
NOTE: To remediate the vulnerability CVE-2025-54236 listed in the security bulletin above, Adobe has also released a hotfix VULN-32437-2-4-X-patch that resolves CVE-2025-54236.
Please apply the hotfix as soon as possible. If you fail to do so, you will be vulnerable to this security issue, and Adobe will have limited means to help remediate.
NOTE: For merchants using Adobe Commerce on Cloud infrastructure, we have deployed web application firewall (WAF) rules to protect environments against the exploitation of this vulnerability.
While Adobe has deployed WAF rules to mitigate exploitation of this vulnerability, relying solely on WAF rules does not provide comprehensive protection. Under the shared responsibility model, merchants are responsible for securing their application and ensuring patches are applied. The WAF is an additional layer of defense, but it does not replace the need to apply security hotfixes.
You must follow all remediation guidance provided here, which may include applying patches, updating modules, or implementing other recommended security measures. Failure to do so may leave your environment exposed and limit Adobe’s ability to assist with remediation.
NOTE: For Adobe Commerce on Managed Services merchants, your Customer Success Engineer can provide additional guidance on applying the hotfix.
NOTE: If you have any questions or need assistance, please don’t hesitate to contact our support team.
As a reminder, you can find the latest Security updates available for Adobe Commerce here.
Description description
Affected Products and Versions
Adobe Commerce (all deployment methods):
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
- 2.4.4-p15 and earlier
Adobe Commerce B2B:
- 1.5.3-alpha2 and earlier
- 1.5.2-p2 and earlier
- 1.4.2-p7 and earlier
- 1.3.4-p14 and earlier
- 1.3.3-p15 and earlier
Magento Open Source:
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
Custom Attributes Serializable module:
- versions 0.1.0 to 0.4.0
Issue
A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API.
Resolution resolution
CVE-2025-54236: potential attacker could take over customer accounts through the Commerce REST API
For Custom Attributes Serializable module versions:
This guidance applies only if your Adobe Commerce instance currently has an older version of the Custom Attributes Serializable module (magento/out-of-process-custom-attributes module) installed.
NOTE:
- If the Custom Attributes Serializable module (
magento/out-of-process-custom-attributesmodule) isn’t installed in your environment, you can disregard this instruction and proceed with applying the provided hotfix patch VULN-32437-2-4-X-patch. - If you’re already running the latest version of the Custom Attributes Serializable module, no upgrade is necessary. Proceed with applying the provided hotfix patch VULN-32437-2-4-X-patch.
Make sure to apply the provided hotfix patch VULN-32437 to fully remediate the vulnerability.
Applicable versions: 0.1.0 - 0.3.0
Update Custom Attributes Serializable module to version 0.4.0 or higher.
To update the module, this composer command can be executed:
composer require magento/out-of-process-custom-attributes=0.4.0 --with-dependencies
For Adobe Commerce versions:
- 2.4.9-alpha1, 2.4.9-alpha2
- 2.4.8, 2.4.8-p1, 2.4.8-p2
- 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5, 2.4.7-p6, 2.4.7-p7
- 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p9 2.4.6-p10, 2.4.6-p11, 2.4.6-p12
- 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12, 2.4.5-p13, 2.4.5-p14
- 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11, 2.4.4-p12, 2.4.4-p13, 2.4.4-p14, 2.4.4-p15
For Adobe Commerce B2B versions:
- 1.5.3-alpha1, 1.5.3-alpha2
- 1.5.2, 1.5.2-p1, 1.5.2-p2
- 1.5.1
- 1.5.0
- 1.4.2, 1.4.2-p1, 1.4.2-p2, 1.4.2-p3, 1.4.2-p4, 1.4.2-p5, 1.4.2-p6, 1.4.2-p7
- 1.4.1
- 1.4.0
- 1.3.5, 1.3.5-p1, 1.3.5-p2, 1.3.5-p3, 1.3.5-p4, 1.3.5-p5, 1.3.5-p6, 1.3.5-p7, 1.3.5-p8,1.3.5-p9, 1.3.5-p10, 1.3.5-p12
- 1.3.4, 1.3.4-p1, 1.3.4-p2, 1.3.4-p3, 1.3.4-p4, 1.3.4-p5, 1.3.4-p6, 1.3.4-p7, 1.3.4-p8, 1.3.4-p9, 1.3.4-p10, 1.3.4-p11, 1.3.4-p12, 1.3.4-p13, 1.3.4-p14
- 1.3.3, 1.3.3-p1, 1.3.3-p2, 1.3.3-p3, 1.3.3-p4, 1.3.3-p5, 1.3.3-p6, 1.3.3-p7, 1.3.3-p8, 1.3.3-p9, 1.3.3-p10, 1.3.3-p11, 1.3.3-p12, 1.3.3-p13, 1.3.3-p14, 1.3.3-p15
For Magento Open Source versions:
- 2.4.9-alpha1, 2.4.9-alpha2
- 2.4.8, 2.4.8-p1, 2.4.8-p2
- 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5, 2.4.7-p6, 2.4.7-p7
- 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p9 2.4.6-p10, 2.4.6-p11, 2.4.6-p12
- 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12, 2.4.5-p13, 2.4.5-p14
Apply the following hotfix or upgrade to the latest security patch:
How to apply the hotfix
Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.
For Adobe Commerce on Cloud merchants only - How to tell whether patches have been applied
Considering that it isn’t possible to easily determine if the issue was patched, it’s recommended that you check whether the CVE-2025-54236 isolated patch has been successfully applied.
NOTE: You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:
-
Run the command:
vendor/bin/magento-patches -n status | grep "27015\|Status" -
You should see output similar to this, where this example VULN-27015 returns the Applied status:
code language-none ║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom
Security updates
Security updates available for Adobe Commerce: