Security is not optional in today’s world of ecommerce – it is essential. Every Magento or Adobe Commerce store owner needs to be aware not just of features and performance but of important security patches.
On September 9, 2025, Adobe has published a security bulletin (APSB25-88) alerting all users of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source to a serious threat and the need to act immediately.
Here is what you need to know – the risk you are facing, what versions may be affected and how to resolve the issue.
What is the Vulnerability (CVE-2025-54236)?
- A critical vulnerability (CVE-2025-54236) has been discovered. An attacker could exploit it via the Commerce REST API to take over customer accounts.
- The nature of the vulnerability: improper input validation (CWE-20), leading to a security feature bypass.
Note: Adobe says there is no evidence so far that this vulnerability has been exploited in the wild. However, given the severity, waiting is risky.
Which Versions are Affected?
| Product | Version |
| Adobe Commerce | 2.4.9-alpha2 and earlier2.4.8-p2 and earlier2.4.7-p7 and earlier2.4.6-p12 and earlier2.4.5-p14 and earlier2.4.4-p15 and earlier |
| Adobe Commerce B2B | 1.5.3-alpha2 and earlier1.5.2-p2 and earlier1.4.2-p7 and earlier1.3.4-p14 and earlier1.3.3-p15 and earlier |
| Magento Open Source | 2.4.9-alpha2 and earlier2.4.8-p2 and earlier2.4.7-p7 and earlier2.4.6-p12 and earlier2.4.5-p14 and earlier |
What should you do?
Here are the steps to remediate and protect your systems:
Apply the hotfix immediately
Adobe has released VULN-32437-2-4-X-patch to address CVE-2025-54236.
Update the Custom Attributes Serializable module
If you are using that module and your version is 0.1.0 to 0.3.0, upgrade to version 0.4.0 or higher. Use the composer command:
composer require magento/out-of-process-custom-attributes=0.4.0 –with-dependencies
Upgrade to newest patched version
If possible, upgrade beyond the vulnerable releases to the latest version that includes this fix. Even if you install a hotfix, maintaining up-to-date systems is best practice. Adobe rates this update as “priority 2” so you should plan for more regular updates and monitoring.
Conclusion
This is a serious vulnerability that Adobe has flagged as “critical.” Even though there are no known active exploits yet, the severity means that waiting isn’t wise. Any business running Adobe Commerce / Magento needs to act right away: apply the hotfix, update the module if used, verify the patch, and ensure long-term upgrade paths.
If you need help applying the patch, MageComp is here to assist.
FAQ
- What is APSB25-88?
APSB25-88 is the Adobe security bulletin published on September 9, 2025. It discloses a critical vulnerability with CVE-2025-54236 for Adobe Commerce, Adobe Commerce B2B and Magento Open Source which may let attackers take over customer accounts through the Commerce REST API.
- Which versions of Adobe Commerce and Magento are affected?
- Adobe Commerce & Magento Open Source: 2.4.4-p15 and earlier up to 2.4.9-alpha2.
- Adobe Commerce B2B: versions 1.5.3-alpha2 and earlier.
- Custom Attributes Serializable module: versions 0.1.0-0.3.0.
- Can you assist me in installing the patch?
Yes! MageComp offers an installation service for Magento Security Patches, where experienced technicians implement the patching. They make sure that compatibility is confirmed, back up your data for safety, install the patches, and as a result, you receive a safe shop, without disruption to store operations.
