Security and trust with our customers have always been priorities for Adobe. As cyber threats continue to become more sophisticated, hackers constantly seek new ways to exploit vulnerabilities in unpatched applications.

To help our Adobe Commerce customers mitigate these risks effectively, we have implemented a series of proactive measures to quickly and efficiently deliver critical security patches. These improvements to our patching process reflect Adobe’s ongoing commitment to protecting our customers’ digital environments.

Introduction of isolated patches for critical vulnerabilities.

Adobe released security patches for each supported release line of the core Adobe Commerce PHP application. Patch releases are opportunities to upgrade the core codebase to keep your platform secure, reliable, and performant.

Starting in June 2024, Adobe Commerce began releasing isolated patches in addition to the standard security patch releases. These isolated patches are designed to address high-priority security vulnerabilities, enabling customers to promptly patch critical issues without needing to apply a full security update — which will support timely protection against pressing threats.

When determining the need for isolated patches, Adobe primarily focuses upon three key criteria:

1. Critical vulnerabilities: Isolated patches target vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 9.0 or higher, which indicates a critical vulnerability.
2. Storefront impact: Patches will also be released for vulnerabilities that are likely to affect the core functionality of the storefront, as these can directly impact customer transactions and overall site integrity.
3. Higher-risk vulnerabilities: In some cases, isolated patches may be issued for vulnerabilities deemed to have a higher risk of exploitation, based on Adobe’s internal security tools and risk assessment processes.

By releasing these isolated patches, Adobe Commerce is helping customers more rapidly address critical vulnerabilities, reducing the time window in which they could be exploited by malicious actors. Isolated patches for Adobe Commerce will be available for every supported security patch version of the relevant release line, so that customers have access to the latest fixes. For further information on our supported release lines, please visit Adobe Commerce’s lifecycle policy.

While these isolated patches are intended to address more urgent vulnerabilities, Adobe recommends that customers apply the full security patch as soon as possible after the full security patch is made available. Full security patches not only fix critical issues but also address a broader range of security and compliance concerns that could affect the overall health and integrity of the system.

Quick and efficient patch deployment with Cloud Patches for Commerce.

In addition to traditional patching methods, Adobe Commerce has further streamlined its process by offering isolated patches via Cloud Patches for Commerce. This tool delivers security fixes directly to Adobe Commerce customers using Adobe’s cloud infrastructure, providing rapid deployment of critical patches. For instructions on how to apply critical patches using cloud packages, visit the Commerce on Cloud Guide on applying patches.

Web application firewall (WAF) protection for Cloud customers.

For customers using Adobe Commerce on Cloud, we deploy web application firewall (WAF) rules as an additional layer of protection with the release of isolated patches, providing an additional layer of protection before the customer upgrades their instance. These WAF rules are designed to prevent cybercriminals from exploiting vulnerabilities addressed in the isolated patch in the infrastructure or application layer.

Security patching for Adobe Commerce Managed Services customers.

For customers using Adobe Commerce Managed Services, we go a step further by providing personalized support during the patching process. Each Managed Services customer is assigned a dedicated customer success engineer (CSE), who helps the customer determine when and how to efficiently and effectively apply the isolated patches. To minimize disruption, CSEs work with customers to validate patches in dedicated staging environments before deployment to production. This testing helps prevent patches from interfering with existing workflows and confirms that the fixes are applied correctly.

By leveraging the Adobe Commerce Managed Services team’s expertise, customers can experience a more effective and frictionless patching process that helps reduce the risk of security issues and system downtime.

Proactive communication — keeping customers informed.

At Adobe, we understand that the key to staying ahead of cyber threats is through timely awareness and communication. Attackers often target unpatched systems — and clear, proactive communication is vital.

We directly notify customers and partners about upcoming security updates through email notifications and notifications within Adobe Commerce. This dual-channel approach helps merchants and administrators stay on top of the latest patches and enables them to take swift action to secure their stores.

Here are some of the key elements of Adobe Commerce’s security communications:

• Email alerts: Customers receive detailed email notifications regarding upcoming security patches and isolated patches, including important information about vulnerabilities being addressed as well as the release notes. The email is sent on the day of the release of the patches according to our release schedule.

• In-product notifications: Admins within Adobe Commerce receive in-product alerts through the admin panel, helping to ensure they don’t miss any critical security updates.

• Security bulletins: Each notification contains a link to a security bulletin and release notes, providing comprehensive information about vulnerabilities that have been addressed. Customers can opt in to a subscription service to receive notifications directly to their inbox when Adobe releases updates and publishes security bulletins. Security bulletins typically include details regarding:

  • Affected and fixed versions of Adobe Commerce
  • Common Vulnerabilities and Exposures (CVE) references for affected security issues
  • A high-level summary of each vulnerability, its severity, and the potential impact on customers’ systems.

Adobe Commerce’s CVE details are made available in public databases like MITRE and the National Vulnerability Database (NVD), providing external verification and transparency for security researchers and users. By informing customers about available fixes, we empower them to take quick action and apply security patches as soon as possible.

We are committed to providing our customers with the tools, resources, support, and communications necessary to stay ahead of evolving cyber threats. By implementing proactive patching measures, we aim to create a comprehensive security ecosystem that helps our customers protect their digital storefronts from threats and vulnerabilities.

Smita Verma is a senior product manager at Adobe Commerce, bringing extensive experience in cybersecurity solutions and compliance frameworks. Passionate about cybersecurity education and community building, she blends strategic product management with deep security expertise to develop innovative features that strengthen organizational security without compromising user experience. Verma excels at transforming complex security requirements into intuitive, impactful solutions that drive real-world value across enterprise environments.