Magento Security Release APSB25-08 [Impact Analysis]

APSB25-08 released on Feb 11th, 2025

Critical Adobe Commerce/Magento security patches have just been released (CVSS 9.4/10)

New versions: 2.4.4-p12, 2.4.5-p11, 2.4.6-p9, 2.4.7-p4, additionally 2.4.8-beta2. You should schedule an upgrade ASAP.

• Request validation was added to the Asynchronous Web API. This is a port of CVE-2023-38218, which previously received an 8.8 CVSS score (see our analysis) but is now a critical 9.4. Unauthorized attackers can take control of customer accounts. There is an isolated patch available if you cannot upgrade.
• Several stored XSS that could be exploited with admin access. Areas affected are system configuration, product edit page, customer edit page, and the dashboard.
• A locking mechanism was added to prevent coupons from being used more than their allowed limit.
• In the wake of CosmicSting, a new "extensible data re-encryption mechanism" was added to make changing your encryption key less painful. Despite Adobes claim that it is in 2.4.8-beta only, it is present in the 2.4.4 patch as well.
• A directory traversal issue was fixed that would allow admins to download arbitrary files within the var folder.
• TinyMCE was downgraded from version 7 to version 6 due to compatibility issues with OSL (thanks Fabrizio Balliano and Tu Van)

eComscan will alert you about vulnerable installations.

• Adobe release notes

Read more

• SessionReaper attacks have started, 3 in 5 stores still vulnerable
• SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236)
• Adobe patches critical Magento admin takeover via menu injection
• Backdoor found in popular ecommerce components
• Found defunct.dat on your site? You've got a problem.