Cyber Resilience

CVE-2025-54236

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 09 September 2025

Published
09 September 2025
Modified
11 May 2026
KEV Added
24 October 2025
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.7215 98.8th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54236 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Adobe Commerce. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability tracked as CVE-2025-54236. The flaw, assigned CWE-20, permits an attacker to perform session takeover with high impact on confidentiality and integrity. The issue carries a CVSS 3.1 score of 9.1 reflecting network attack vector, low complexity, and no requirements for authentication or user interaction.

An unauthenticated remote attacker can exploit the vulnerability without any user interaction to hijack active sessions in affected Adobe Commerce installations, thereby gaining unauthorized access that elevates both confidentiality and integrity risks.

Adobe has published remediation guidance under APSB25-88, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, indicating that official patches and mitigation steps are available through standard Adobe Commerce update channels.

The associated EPSS score currently stands at 0.7215 with a recorded peak of 0.7372, and public references include technical analyses describing unauthenticated remote code execution potential in Magento deployments.

EU & UK References

Vulnerability details

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this…

more

issue does not require user interaction.

CWE(s)
KEV Date Added
24 October 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Direct unauthenticated exploitation of public-facing Adobe Commerce web app (T1190) resulting in session takeover/impersonation of valid user accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34645Same product: Adobe Commerce
CVE-2026-21309Same product: Adobe Commerce
CVE-2026-21289Same product: Adobe Commerce
CVE-2026-34646Same product: Adobe Commerce
CVE-2025-24409Same product: Adobe Commerce
CVE-2026-34647Same product: Adobe Commerce
CVE-2026-34648Same product: Adobe Commerce
CVE-2026-21284Same product: Adobe Commerce
CVE-2025-24438Same product: Adobe Commerce
CVE-2025-24406Same product: Adobe Commerce

Affected Assets

adobe
commerce
2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8
adobe
commerce b2b
1.3.3, 1.3.4, 1.4.2, 1.5.2, 1.5.3
adobe
magento
2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces information input validation mechanisms to mitigate the improper input validation vulnerability enabling unauthenticated session takeover.

prevent

Mandates identification, reporting, and correction of system flaws like this CVE through timely patching as recommended by Adobe and CISA.

prevent

Requires vulnerability scanning to detect and prioritize remediation of this specific CVE in vulnerable Adobe Commerce versions before exploitation.

References