CVE-2025-22386

High

Published: 04 January 2025

Published

04 January 2025

Modified

20 May 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0019 41.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22386 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Optimizely Configured Commerce. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AU-14 (Session Audit).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Session Cookie (T1550.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match

prevent

Directly requires automatic termination of user sessions upon logout or organization-defined inactivity periods, preventing reuse of tokens from logged-out sessions.

IA-5 Authenticator Management partial match

prevent

Mandates management of authenticators including periodic refresh, revocation, and protection, addressing prolonged validity of session tokens post-logout.

AU-14 Session Audit partial match

detect

Provides audit capability for session events, enabling detection of unauthorized access or activity using improperly persistent session tokens.

MITRE ATT&CK Enterprise TechniquesAI

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Insufficient session expiration allows reuse of valid session tokens (web cookies) to impersonate users and bypass authentication controls.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be…

active and usable.

Deeper analysisAI

CVE-2025-22386 is a session management vulnerability discovered in Optimizely Configured Commerce versions prior to 5.2.2408, specifically impacting the Commerce B2B application's storefront. The issue involves insufficient session expiration (CWE-613), where session tokens tied to logged-out sessions remain active and usable beyond their intended lifespan. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating medium-high severity due to network accessibility and potential for significant data exposure or manipulation.

The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). By obtaining a session token from a logged-out session—potentially through prior access or interception—the attacker can reuse it to impersonate the user, achieving high impacts on confidentiality (C:H) and integrity (I:H) without affecting availability (A:N). This enables unauthorized access to or modification of sensitive storefront data.

Optimizely has published security advisory COM-2024-04 at https://support.optimizely.com/hc/en-us/articles/32695284701069-Configured-Commerce-Security-Advisory-COM-2024-04, which details the vulnerability and mitigation steps. Practitioners should upgrade to Optimizely Configured Commerce 5.2.2408 or later to address the session longevity issue.