Bulletin ID
Last updated on
Jun 25, 2025
Security update available for Adobe Commerce | APSB25-50
|
|
Date Published |
Priority |
|---|---|---|
|
APSB25-50 |
June 10, 2025 |
1 |
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to security feature bypass, privilege escalation and arbitrary code execution.
Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.
Affected Versions
| Product | Version | Platform |
|---|---|---|
| Adobe Commerce |
2.4.8 2.4.7-p5 and earlier 2.4.6-p10 and earlier 2.4.5-p12 and earlier 2.4.4-p13 and earlier |
All |
| Adobe Commerce B2B |
1.5.2 and earlier 1.4.2-p5 and earlier 1.3.5-p10 and earlier 1.3.4-p12 and earlier 1.3.3-p13 and earlier |
All |
| Magento Open Source | 2.4.8 2.4.7-p5 and earlier 2.4.6-p10 and earlier 2.4.5-p12 and earlier |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Installation Instructions |
|---|---|---|---|---|
| Adobe Commerce |
2.4.9-alpha1 2.4.8-p1 for 2.4.8 2.4.7-p6 for 2.4.7-p5 and earlier 2.4.6-p11 for 2.4.6-p10 and earlier 2.4.5-p13 for 2.4.5-p12 and earlier 2.4.4-p14 for 2.4.4-p13 and earlier |
All |
1 |
|
| Adobe Commerce B2B |
1.5.3-alpha1 1.5.2-p1 for 1.5.2 1.4.2-p6 for 1.4.2-p5 and earlier 1.3.4-p13 for 1.3.4-p12 and earlier 1.3.3-p14 for 1.3.3-p13 and earlier |
All | 2 | |
| Magento Open Source |
2.4.9-alpha1 2.4.8-p1 for 2.4.8 2.4.7-p6 for 2.4.7-p5 and earlier 2.4.6-p11 for 2.4.6-p10 and earlier 2.4.5-p13 for 2.4.5-p12 and earlier |
All |
2 | |
| Adobe Commerce and Magento Open Source | Isolated patch on CVE-2025-47110 | All | 1 | Release Notes for Isolated Patch on CVE-2025-47110. |
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
CVE number(s) | Notes |
|---|---|---|---|---|---|---|---|---|
| Cross-site Scripting (Reflected XSS) (CWE-79) | Arbitrary code execution | Critical | Yes | Yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2025-47110 | |
| Improper Authorization (CWE-285) | Security feature bypass | Critical | Yes | No | 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N | CVE-2025-43585 | |
| Improper Access Control (CWE-284) | Security feature bypass | Important | Yes | Yes | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | CVE-2025-27206 | |
| Improper Access Control (CWE-284) | Privilege escalation | Important | Yes | Yes | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | CVE-2025-27207 | B2B Only |
| Improper Access Control (CWE-284) | Privilege escalation | Important | Yes | Yes | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | CVE-2025-43586 | B2B Only |
| Incorrect Authorization (CWE-863) | Security feature bypass | Important | No | No | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVE-2025-49550 | |
| Incorrect Authorization (CWE-863) | Security feature bypass | Moderate | Yes | Yes | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N | CVE-2025-49549 |
Note:
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:
- Damien Retzinger (damienwebdev) - CVE-2025-49549, CVE-2025-49550
- sheikhrishad0 - CVE-2025-27206
- wohlie - CVE-2025-27207
- T.H. Lassche (thlassche) - CVE-2025-43585
- Thomas Klein (tomakl1) - CVE-2025-43586
- blaklis - CVE-2025-47110
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
Revisions
June 25, 2025: Added CVE-2025-49549 and CVE-2025-49550
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.
