CVE-2025-54236
Published: 09 September 2025
Summary
CVE-2025-54236 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Adobe Commerce. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability tracked as CVE-2025-54236. The flaw, assigned CWE-20, permits an attacker to perform session takeover with high impact on confidentiality and integrity. The issue carries a CVSS 3.1 score of 9.1 reflecting network attack vector, low complexity, and no requirements for authentication or user interaction.
An unauthenticated remote attacker can exploit the vulnerability without any user interaction to hijack active sessions in affected Adobe Commerce installations, thereby gaining unauthorized access that elevates both confidentiality and integrity risks.
Adobe has published remediation guidance under APSB25-88, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, indicating that official patches and mitigation steps are available through standard Adobe Commerce update channels.
The associated EPSS score currently stands at 0.7215 with a recorded peak of 0.7372, and public references include technical analyses describing unauthenticated remote code execution potential in Magento deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27277
Vulnerability details
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this…
more
issue does not require user interaction.
- CWE(s)
- KEV Date Added
- 24 October 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public-facing Adobe Commerce web app (T1190) resulting in session takeover/impersonation of valid user accounts (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces information input validation mechanisms to mitigate the improper input validation vulnerability enabling unauthenticated session takeover.
Mandates identification, reporting, and correction of system flaws like this CVE through timely patching as recommended by Adobe and CISA.
Requires vulnerability scanning to detect and prioritize remediation of this specific CVE in vulnerable Adobe Commerce versions before exploitation.