Adobe Commerce 2.4.9 & Critical Security Patches: What Every Store Owner Must Know
Adobe has released its most substantial Commerce update in years: with 560+ bug fixes, hardened security patches actively exploited in the wild, and major platform upgrades. Here is everything your team needs to understand and act on, explained plainly.
The Big Picture: What Has Adobe Released?
Adobe Commerce has released two distinct but related update tracks that every store owner needs to understand:
- Adobe Commerce 2.4.9: A major feature and platform release with 560 fixes, modernised UI libraries, payment improvements, and PHP/infrastructure upgrades. Currently in beta, but important to plan for now.
- 2.4.8 Security Patches (p1–p5): A series of emergency security-only releases for stores already on 2.4.8. Several address vulnerabilities that are already being actively exploited by attackers in the wild. These must be applied immediately.
Think of it this way: the security patches are your urgent medication, and 2.4.9 is the full health plan you build toward. Both deserve your attention, but the security patches are time-critical.
2.4.8 Security Patches: What Was Broken and What Got Fixed
Adobe has released five security patch increments for the 2.4.8 line (p1 through p5), each targeting specific vulnerabilities. The table below gives a plain-English breakdown of the most critical ones.
| Severity | CVE / Bulletin | Vulnerability | Impact & Fix |
|---|---|---|---|
| CRITICAL | CVE-2025-54236 (APSB25-88) |
Customer Account Takeover via REST API |
Attackers hijacked accounts without a password. Actively exploited in the wild. Fixed in 2.4.8-p3. |
| CRITICAL | CVE-2025-24434 (APSB25-08) |
Authorisation Bypass: Privilege Escalation |
A flaw in permission verification allowed attackers to escalate privileges and access protected areas. |
| IMPORTANT | CVE-2025-47110 (APSB25-50) |
Stored XSS via Server-Side Template Injection |
Malicious scripts injected through email templates run in every victim’s browser when viewing affected content. |
| IMPORTANT | VULN-31547 (APSB25-50) |
Reflected XSS + One-Click Account Takeover |
Reflected XSS in the marketplace combined with one-click ATO in Adobe IMS-connected instances. |
| IMPORTANT | CVE-2025-54263-54267 (APSB25-94) |
Arbitrary Code Execution: Unauthenticated |
CVSS 8.8. Unauthenticated attackers could bypass privilege checks and execute code: full site compromise possible. |
| FIXED | API Regression (APSB25-08 follow-up) |
Bulk API Slowdown After Security Patch |
Applying APSB25-08 caused bulk async API endpoints to slow significantly. Fixed in 2.4.8-p1. |
Why This Is Urgent
Adobe confirmed that CVE-2025-54236 was actively exploited in the wild at the time of disclosure. This means real attackers were already using this technique to compromise live stores, not just researchers testing in a lab. Any store on an unpatched version of 2.4.8 is currently exposed to account takeover without any authentication required.
Adobe Commerce 2.4.9: What’s New and Why It Matters
Beyond security, the 2.4.9 release signals a forward-looking platform overhaul. With over 560 fixes in the Adobe Commerce beta alone, here are the headline improvements that affect your day-to-day store operations.
Smarter Admin Experience
Two-Factor Authentication (2FA) has been simplified. Previously, if multiple 2FA methods were enabled, say, Google Authenticator and a hardware security key, every admin user was forced to set up all of them before logging in. In 2.4.9, users only need to configure one method. This removes a real-world barrier for team members who don’t have access to every authentication device.
The staging preview tool now accurately simulates how your store looks on mobile devices. Before this fix, the mobile preview in the admin panel was often misleading: store owners would approve a promotion layout that looked fine on desktop but was broken on phones. Now what you see is genuinely what customers see.
Checkout and Payments: Where the Revenue Is
Google Pay and Apple Pay express checkout now fully support promo and offer codes. Previously, shoppers using these fast payment methods couldn’t apply discount codes, meaning express checkout customers missed out on promotions available to everyone else. That friction is now removed, directly improving conversion rates.
The PayPal Express shipping callback has been moved from the browser (client-side) to the server (server-side). In plain terms: calculating shipping costs during PayPal Express checkout is now more reliable and secure, as it no longer depends on what the shopper’s browser reports.
For B2B merchants, a persistent bug with Payflow Pro checkout on negotiable quotes has been resolved: orders would hang indefinitely without placing or showing an error, causing silent revenue loss for affected stores.
Catalogue and Admin Productivity
The Catalog Price Rules grid now includes bulk actions: activate, deactivate, or delete multiple rules at once. This brings catalogue rules in line with cart price rules and saves significant time for stores managing large sets of promotions.
Security Hardening and Library Upgrades
Three JavaScript libraries central to the Adobe Commerce UI have been upgraded: jQuery UI to 1.14.1, jQuery Validate to 1.21.0, and the Uppy file upload library to 4.13.4. These are not cosmetic changes: older versions had known security vulnerabilities in file upload handling and form input validation. The upgrades patch those holes while also improving compatibility with modern browsers.
CAPTCHA enforcement has been extended to REST and GraphQL APIs. Previously, if you enabled CAPTCHA on your customer registration form, a bot could bypass it entirely by hitting the API directly rather than going through the browser form. That gap is now closed.
Platform Compatibility Note
Adobe Commerce 2.4.9 is still in beta and is not yet intended for production deployment. However, understanding its changes now allows your team to plan extensions, theme updates, and infrastructure upgrades ahead of the GA release, avoiding emergency scrambles later.
The Cost of Not Updating: A Plain Comparison
The table below shows the real business consequences of running an unpatched store versus one that has been properly updated.
| Area | Unpatched Store | Updated Store |
|---|---|---|
| Customer account security | ✗ Exposed: accounts hijacked via REST API (CVE-2025-54236) | ✓ Protected with validated API access controls |
| Admin access | ✗ Privilege escalation possible without valid credentials | ✓ Authorisation properly enforced at every layer |
| Malicious scripts | ✗ XSS via email template injection allows script execution | ✓ Input sanitisation and output encoding hardened |
| Express checkout conversions | ✗ Promo codes unavailable for Apple Pay / Google Pay shoppers | ✓ Full promo support across all checkout flows |
| Bulk API performance | ✗ Degraded speed from unresolved performance regression | ✓ Bulk endpoints restored to expected throughput |
| PCI DSS compliance | ✗ Running known-vulnerable software may breach compliance obligations |
✓ Patches maintain platform eligibility for compliance audits |
| B2B negotiable quote checkout | ✗ Payflow Pro orders silently fail : lost revenue, no error shown | ✓ Orders place reliably from negotiable quote flows |
How Viha Digital Commerce Handles This For You
Applying Adobe Commerce patches is not a case of clicking ‘update’ in a dashboard. It involves compatibility testing against your custom theme and extensions, database backup and rollback planning, staged deployment to avoid downtime, and B2B module updates that must follow the main patch in a specific sequence. Getting any of these steps wrong can take a store offline.
As an Adobe Commerce development company, we specialise in exactly this kind of structuOur Commitmentred, risk-managed update work. Here is what our process looks like:
- Compatibility Audit: We audit your current version, all installed extensions, and your theme against the target patch or version. Any conflicts are identified before a single line change in production.
- Staging Environment Deployment: The patch or upgrade is applied first to a staging clone of your live store. We run full regression testing across checkout, payment flows, admin functions, and API integrations.
- Database Backup and Rollback Plan: Before touching production, a verified backup is created, and a documented rollback procedure is in place. If something unexpected happens, we can restore it within minutes.
- Production Deployment: Production is updated during your lowest-traffic window with a minimal maintenance notice. B2B extension updates are applied in the correct sequence as required by Adobe’s documentation.
- Post-Update Verification: We run a full smoke test on checkout, payments, admin panel access, email templates, and API endpoints. You receive a report confirming the patch status and any items to monitor.
What We Specifically Help With for These Updates
→ Applying the CVE-2025-54236 hotfix (VULN-32437) and verifying the custom attributes module is version 0.4.0 or higher
→ Sequenced B2B extension patching, which must follow the core patch in the correct order
→ 2FA configuration review and rollout to admin users after the simplified 2.4.9 flow change
→ API endpoint performance validation after the APSB25-08 regression fix
→ Theme and extension compatibility review ahead of the 2.4.9 GA release
→ REST API constructor parameter validation review for custom or third-party extensions (required by CVE-2025-54236 changes)
→ Encryption key migration via CLI (the Admin UI option has been removed in newer patches)
Our Commitment
We treat every update as a production-critical engineering task: not a box-ticking exercise. Our team has applied Adobe Commerce security patches across stores ranging from startup catalogues to enterprise B2B deployments, and we carry a zero-downtime track record on patch deployments.
The Bottom Line
Adobe Commerce’s security patch cycle has become more aggressive in 2025 for good reason: the platform is a high-value target, and the vulnerabilities being disclosed are serious. CVE-2025-54236 alone: a customer account takeover that requires no authentication, is the kind of flaw that can wipe out customer trust overnight if exploited on your store.
The 2.4.9 release, meanwhile, is not just a maintenance tick. Fixes to Apple Pay and Google Pay promo support, the admin 2FA flow, bulk catalogue management, and over 560 resolved bugs represent real quality-of-life improvements and potential revenue recovery for stores that have been working around known issues.
The question is not whether to apply these updates: it is how to do it safely, quickly, and with confidence. That is precisely where Viha Digital Commerce adds its value.
| Ready to secure and upgrade your store?
Our team can assess your current patch status, identify exposure, and deploy the right updates: without downtime and without surprises. Contact Viha Digital Commerce → vihadigitalcommerce.com |
