Stay Secure with Critical Adobe Security Update APSB25-08 for Adobe Commerce

Adobe has recently released a critical security update for its Adobe Commerce and Magento Open Source platforms. This blog post aims to cover the specifics of this update, the possible risks it minimizes, and actionable steps users can take to strengthen their security posture.

The security update, APSB25-08, was released on February 11, 2025. It addresses critical vulnerabilities present in Adobe Commerce and Magento Open Source. These vulnerabilities, if exploited, could lead to arbitrary code execution, security feature bypass, and privilege escalation.

Affected Versions

The affected versions include various iterations of Adobe Commerce and Magento Open Source. Users of versions before the following are urged to take immediate action:

Adobe Commerce: 2.4.8-beta1, 2.4.7-p3 and earlier, 2.4.6-p8 and earlier, 2.4.5-p10 and earlier, 2.4.4-p11 and earlier, and more.
Adobe Commerce B2B: 1.5.0 and earlier, 1.4.2-p3 and earlier, 1.3.5-p8 and earlier, 1.3.4-p10 and earlier, 1.3.3-p11 and earlier, and more.
Magento Open Source: 2.4.8-beta1, 2.4.7-p3 and earlier, 2.4.6-p8 and earlier, 2.4.5-p10 and earlier, 2.4.4-p11 and earlier, and more.

Solution

Adobe has provided updated versions for both Adobe Commerce and Magento Open Source to address these vulnerabilities. Adobe has categorized the updates with the priority ratings and users are strongly advised to update their installations to the newest versions as soon as possible. Detailed installation instructions are available on Adobe’s website.

Vulnerability Details

The vulnerabilities encompass various categories, including Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22), Incorrect Authorization (CWE-863), Information Exposure (CWE-200), Improper Authorization (CWE-285), Improper Authorization (CWE-285), Cross-site Scripting (Stored XSS) (CWE-79), Improper Access Control (CWE-284), Cross-site Scripting (Stored XSS) (CWE-79), Cross-site Scripting (Stored XSS) (CWE-79), Cross-site Scripting (Stored XSS) (CWE-79), Cross-site Scripting (Stored XSS) (CWE-79), Cross-site Scripting (Stored XSS) (CWE-79), Cross-site Scripting (Stored XSS) (CWE-79), Cross-site Scripting (Stored XSS) (CWE-79), Violation of Secure Design Principles (CWE-657), Incorrect Authorization (CWE-863), Incorrect Authorization (CWE-863), Incorrect Authorization (CWE-863), Improper Access Control (CWE-284), Improper Access Control (CWE-284), Improper Access Control (CWE-284), Improper Access Control (CWE-284), Improper Access Control (CWE-284), Improper Access Control (CWE-284), Business Logic Errors (CWE-840), Improper Access Control (CWE-284), Improper Access Control (CWE-284), Cross-site Scripting (Stored XSS) (CWE-79), Improper Access Control (CWE-284), Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367), Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367). These vulnerabilities pose the risk of arbitrary code execution, arbitrary file system read, security feature bypass, and privilege escalation.

You can find detailed information here: Adobe Security Bulletin APSB25-08.

Looking to Upgrade Your Store? Consult with Our Experts Now!