Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN606
_____________________________________________________________________

DATE                : 11/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Adobe Commerce and Magento Open
                                         Source.

=====================================================================
https://helpx.adobe.com/security/products/magento/apsb25-88.html
_____________________________________________________________________


Last updated on Sep 9, 2025

Security update available for Adobe Commerce | APSB25-88

Bulletin ID             Date Published                   Priority

APSB25-88     September 9, 2025                 2


Summary

Adobe has released a security update for Adobe Commerce and Magento
Open Source. This update resolves a critical vulnerability.
Successful exploitation could lead to security feature bypass.

Adobe is not aware of any exploits in the wild for any of the issues
addressed in these updates.


Affected Versions

Product 	Version 	Priority Rating 	Platform

Adobe Commerce   2.4.9-alpha2 and earlier
                 2.4.8-p2 and earlier
                 2.4.7-p7 and earlier
                 2.4.6-p12 and earlier
                 2.4.5-p14 and earlier
                 2.4.4-p15 and earlier     	2 	All


Adobe Commerce B2B  1.5.3-alpha2 and earlier
                    1.5.2-p2 and earlier
                    1.4.2-p7 and earlier
                    1.3.4-p14 and earlier
                    1.3.3-p15 and earlier      	2 	All

Magento Open Source   2.4.9-alpha2 and earlier
                      2.4.8-p2 and earlier
                      2.4.7-p7 and earlier
                      2.4.6-p12 and earlier
                      2.4.5-p14 and earlier    	2 	All

Solution

Adobe categorizes these updates with the following priority ratings
and recommends users update their installation to the newest
version.

Product     Updated Version     Platform      Priority Rating
Installation Instructions

Adobe Commerce and Magento Open Source   Hotfix for CVE-2025-54236
Compatible with all Adobe Commerce and Magento Open Source versions
between 2.4.4 - 2.4.7
All 	2 	Release Notes for hotfix on CVE-2025-54236

Adobe categorizes these updates with the following priority ratings
and recommends users update their installation to the newest version.


Vulnerability Details

Vulnerability Category    Vulnerability Impact     Severity
Authentication required to exploit?   Exploit requires admin privileges?
CVSS base score       CVSS vector     	CVE number(s) 	  Notes

Improper Input Validation (CWE-20) 	Security feature bypass
Critical 	No 	No 	9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 	CVE-2025-54236 

	 
Note

Authentication required to exploit: The vulnerability is (or is
not) exploitable without credentials.

Exploit requires admin privileges: The vulnerability is (or is
not) only exploitable by an attacker with administrative privileges.


Acknowledgements

Adobe would like to thank the following researchers for reporting
these issues and working with Adobe to help protect our customers:

    blaklis -- CVE-2025-54236

NOTE: Adobe has a public bug bounty program with HackerOne. If you
are interested in working with Adobe as an external security
researcher, please check out https://hackerone.com/adobe.

For more information, visit https://helpx.adobe.com/security.html,
or email PSIRT@adobe.com.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================