Cyber Resilience

CVE-2025-22386

High

Published: 04 January 2025

Published
04 January 2025
Modified
20 May 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0027 50.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22386 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Optimizely Configured Commerce. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AU-14 (Session Audit).

Deeper analysis

CVE-2025-22386 is a session management vulnerability discovered in Optimizely Configured Commerce versions prior to 5.2.2408, specifically impacting the Commerce B2B application's storefront. The issue involves insufficient session expiration (CWE-613), where session tokens tied to logged-out sessions remain active and usable beyond their intended lifespan. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating medium-high severity due to network accessibility and potential for significant data exposure or manipulation.

The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). By obtaining a session token from a logged-out session—potentially through prior access or interception—the attacker can reuse it to impersonate the user, achieving high impacts on confidentiality (C:H) and integrity (I:H) without affecting availability (A:N). This enables unauthorized access to or modification of sensitive storefront data.

Optimizely has published security advisory COM-2024-04 at https://support.optimizely.com/hc/en-us/articles/32695284701069-Configured-Commerce-Security-Advisory-COM-2024-04, which details the vulnerability and mitigation steps. Practitioners should upgrade to Optimizely Configured Commerce 5.2.2408 or later to address the session longevity issue.

EU & UK References

Vulnerability details

An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be…

more

active and usable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Insufficient session expiration allows reuse of valid session tokens (web cookies) to impersonate users and bypass authentication controls.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22387Same product: Optimizely Configured Commerce
CVE-2025-22384Same product: Optimizely Configured Commerce
CVE-2026-25476Shared CWE-613
CVE-2026-34828Shared CWE-613
CVE-2025-36377Shared CWE-613
CVE-2025-57735Shared CWE-613
CVE-2025-59786Shared CWE-613
CVE-2026-44511Shared CWE-613
CVE-2025-22390Same vendor: Optimizely
CVE-2024-45033Shared CWE-613

Affected Assets

optimizely
configured commerce
≤ 5.2.2408

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires automatic termination of user sessions upon logout or organization-defined inactivity periods, preventing reuse of tokens from logged-out sessions.

prevent

Mandates management of authenticators including periodic refresh, revocation, and protection, addressing prolonged validity of session tokens post-logout.

AU-14 Session Audit partial match
detect

Provides audit capability for session events, enabling detection of unauthorized access or activity using improperly persistent session tokens.

References