Adobe Commerce: Security hotfix still flagged in SWAT report after application
In Adobe Commerce, after applying the security hotfix and successfully deploying it, the vulnerability still appears in the SWAT (Security-Warning Analysis Tool) report. This creates confusion about whether the hotfix was applied correctly.
Upgrading to a security patch version that includes the resolved vulnerability fixes the issue because SWAT flags vulnerabilities based on version detection, not the presence of hotfixes.
Description description
Environment
Adobe Commerce
Issue/Symptoms
-
The hotfix was applied as per Adobe’s instructions.
-
Magento cache was cleared, and deployment steps were completed.
-
A new SWAT report was generated.
-
Despite these actions, the vulnerability remains flagged in the SWAT report.
-
Raises questions about:
- Whether the hotfix was applied correctly.
- Delay or caching issue affecting SWAT detection.
- Additional steps required to resolve the discrepancy.
Resolution resolution
-
SWAT flags vulnerabilities based on the detected Adobe Commerce version, not whether a hotfix has been applied.
-
Even after applying the hotfix, SWAT will continue to recommend the patch until the system is upgraded to a version where the vulnerability is officially resolved.
-
For CVE-2025-54236, as of September 11, 2025, the following versions are affected:
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
- 2.4.4-p15 and earlier
-
There is currently no release available that contains the patched vulnerability.
-
Let’s say you are on 2.4.8-p2. If 2.4.8-p3 eventually gets a release that includes the patched vulnerability, SWAT will no longer recommend this patch after you upgrade to that version, i.e., 2.4.8-p3.