Adobe October 2025 Security Update: Critical Patches Released for Commerce and Magento

Adobe has issued a new set of security patches for October 2025, addressing 36 vulnerabilities across 12 Adobe products. Of these, 24 have been classified as critical.

Updates cover major Adobe products, including Adobe Commerce, Magento Open Source, Adobe Connect, Creative Cloud Desktop, Adobe Bridge, Adobe Animate, Experience Manager Screens, Substance 3D (Viewer, Modeler, Stager),FrameMaker, Illustrator, and Dimension.

This release is part of Adobe’s regular monthly security cycle, and it’s highly recommended that all affected users apply the updates as soon as possible to keep their systems secure.

Focus on Adobe Commerce and Magento Open Source (APSB25-94)

Among the 12 advisories, the Adobe Commerce and Magento Open Source update, documented under bulletin ID APSB25-94, is one of the most important.

This patch resolves multiple critical and important vulnerabilities that, if exploited, could allow attackers to:
Bypass existing security features

Escalate privileges

Execute arbitrary code and potentially gain control of parts of the system

Adobe has confirmed that no active exploits have been observed so far. However, the vulnerabilities remain serious and should be addressed promptly.

Affected Versions

This update applies to the following Adobe Commerce and Magento Open Source versions:

• Adobe Commerce 2.4.9-alpha2 and earlier
• Adobe Commerce 2.4.8-p2 and earlier
• Adobe Commerce 2.4.7-p7 and earlier
• Adobe Commerce 2.4.6-p12 and earlier
• Adobe Commerce 2.4.5-p14 and earlier
• Adobe Commerce 2.4.4-p15 and earlier
• Magento Open Source 2.4.9-alpha2 and earlier

If your site is running any of the above versions, it is strongly advised to apply the update immediately.

Updated / Fixed Versions

Adobe has released the following patched builds to address these vulnerabilities:

• 2.4.9-alpha3 (for sites running 2.4.9-alpha2 or below)
• 2.4.8-p3
• 2.4.7-p8
• 2.4.6-p13
• 2.4.5-p15
• 2.4.4-p16

If you use Adobe Commerce B2B, there are corresponding patched builds available for earlier B2B versions as well.
Although Adobe has categorized this update as Priority 2, it should be installed as soon as possible, but an immediate exploit does not seem to have been found.

Why Does This Matters?

While there are currently no known active attacks, delaying critical updates can leave your eCommerce site vulnerable. These patches not only secure your data and platform but also ensure continued compatibility and stability with future Magento releases.

For store owners, it’s vital to stay proactive. Ignoring updates could expose sensitive customer data or cause major disruptions to your online operations.

Related Alerts

In addition to this October update, it’s worth noting that in September 2025, Adobe had released an emergency patch (APSB25-88) for a severe vulnerability known as “SessionReaper” (CVE-2025-54236).

This flaw could allow attackers to take over customer accounts or execute remote code through the Magento REST API. Adobe’s quick action at the time prevented widespread exploitation, but if your site missed that patch, now is the time to apply it alongside the latest one.

Organizations using multiple Adobe tools such as Experience Manager, Animate, or Connect should also review their configurations, as those products were included in the October batch of advisories.

Recommended Actions

Here’s what eCommerce businesses and site administrators should do right now:

Check your versions

Verify which Adobe Commerce or Magento build you’re currently using.

Apply the latest patches

Upgrade to the patched versions listed above, including the relevant B2B release if applicable.

Install the September “SessionReaper” patch

If you missed it, make sure it’s also applied.

Test before deployment

Run updates in a staging environment first to confirm compatibility.

Monitor activity

After upgrading, check your logs and admin access reports for any irregularities.

Additional Technical Details from Adobe’s October 2025 Bulletin (APSB25-94)

Here are some deeper insights from Adobe’s official documentation and related release notes to give a full picture of what’s included in the October 14, 2025 update.

Specific CVE / Vulnerability Docket

The Adobe bulletin lists five (5) vulnerabilities addressed in Adobe Commerce and Magento Open Source under bulletin ID APSB25-94. These include issues such as Improper Authorization (CWE-863) and Stored Cross-Site Scripting (CWE-79), each assigned a CVSS severity score.

Fixed vulnerabilities include:

CVE-2025-54263 – Security Feature Bypass – Critical

CVE-2025-54264 – Stored XSS – Important

CVE-2025-54265 – Improper Input Validation – Important

CVE-2025-54266 – Improper Access Control – Critical

CVE-2025-54267 – Improper Authorisation – Critical

Some vulnerabilities require authentication or administrative privileges, while others could potentially be exploited with lower-level access.

Patch Interplay with Previous Hotfix / REST API Issue

According to Adobe’s release documentation for version 2.4.7-p8, this October update also includes fixes that overlap with the “SessionReaper” vulnerability (addressed in September 2025 under bulletin APSB25-88). This REST API flaw could allow remote code execution or unauthorised account takeover in specific cases.
The October patch therefore serves as both a new vulnerability fix and a reinforcement update for previously patched REST API risks.

Platform / Edition (B2B) Inclusion

The bulletin also covers Adobe Commerce B2B versions and their related patch requirements. B2B users are strongly advised to update their builds in tandem with their corresponding Commerce version (2.4.4 – 2.4.9) to ensure stability and compatibility across the full platform.

Severity Breakdown / Authentication Detail

Adobe’s security advisory includes a detailed breakdown of each vulnerability’s severity and access requirements.

While some flaws are classified as critical with CVSS scores up to 9.8, others are rated important in the 5.3–8.1 range.

Understanding which issues require authenticated access helps teams prioritise patching and assess exposure risks more accurately.

Scope Beyond Commerce

This bulletin forms part of Adobe’s broader October 2025 Security Update Roundup, which covers 36 vulnerabilities across 12 products, of which 24 are rated critical.

Other products included in this monthly cycle are:

Adobe Connect (APSB25-93)

Creative Cloud Desktop (APSB25-95)

Adobe Bridge (APSB25-96)

Adobe Animate (APSB25-97)

Experience Manager Screens (APSB25-98)

Substance 3D Suite – Viewer, Modeler, Stager (APSB25-99 to 100)

Adobe FrameMaker (APSB25-101)

Adobe Illustrator (APSB25-102)

Adobe Dimension (APSB25-103)

For example, Adobe FrameMaker (APSB25-101) includes critical fixes that prevent arbitrary code execution.

Release Date / Last Update

Adobe first published this bulletin on 14 October 2025 and last updated it on 15 October 2025, indicating that the information remains recent and reliable.

Developer / Extension Guidance

Adobe advises developers and third-party extension providers to review REST API parameter validation and verify extension compatibility before deployment.

Testing updates in a staging environment is recommended to prevent any integration or module issues post-upgrade.

Final Thoughts

The Adobe October 2025 Security Patch Roundup is one of the most significant updates of the year, covering a wide range of Adobe applications. To ensure that stores are safe from privilege escalation and code execution threats, Magento and Commerce users should install the APSB25-94 patch.

Need Expert Help with Your Magento Upgrade?

If you need help applying these patches or upgrading your Adobe Commerce platform safely, our certified Magento developers at IDS Logic can help.

We ensure your store remains secure, stable, and fully optimised for performance, while you focus on growing your business.