CVE-2025-54236

CriticalCISA KEVActive ExploitationPublic PoC

Published: 09 September 2025

Published

09 September 2025

Modified

05 May 2026

KEV Added

24 October 2025

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.6743 98.6th percentile

Risk Priority 79 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54236 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Adobe Commerce. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces information input validation mechanisms to mitigate the improper input validation vulnerability enabling unauthenticated session takeover.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of system flaws like this CVE through timely patching as recommended by Adobe and CISA.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

Requires vulnerability scanning to detect and prioritize remediation of this specific CVE in vulnerable Adobe Commerce versions before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Direct unauthenticated exploitation of public-facing Adobe Commerce web app (T1190) resulting in session takeover/impersonation of valid user accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this…

issue does not require user interaction.

Deeper analysisAI

CVE-2025-54236 is an Improper Input Validation vulnerability (CWE-20) affecting Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier. Published on 2025-09-09, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), highlighting its critical severity due to high impacts on confidentiality and integrity.

An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables session takeover, allowing the attacker to impersonate legitimate users and compromise sensitive data or perform unauthorized actions on the affected Adobe Commerce instance.

Adobe's security advisory APSB25-88 details the issue and recommends applying available patches to mitigate it, with further guidance in the Experience League knowledge base article KA-27397. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog.

A third-party analysis on nullsecurityx.codes describes it as enabling unauthenticated remote code execution under the name "SessionReaper," though official sources emphasize session takeover as the primary impact. Its inclusion in CISA's catalog confirms real-world exploitation.

Details

CWE(s): CWE-20
KEV Date Added: 24 October 2025

Affected Products

adobe

commerce

2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8

adobe

commerce b2b

1.3.3, 1.3.4, 1.4.2, 1.5.2, 1.5.3

adobe

magento

2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9

CVEs Like This One

CVE-2026-21289Same product: Adobe Commerce

CVE-2026-21309Same product: Adobe Commerce

CVE-2025-24409Same product: Adobe Commerce

CVE-2025-24411Same product: Adobe Commerce

CVE-2025-24438Same product: Adobe Commerce

CVE-2026-21284Same product: Adobe Commerce

CVE-2025-24406Same product: Adobe Commerce

CVE-2025-24434Same product: Adobe Commerce

CVE-2026-21290Same product: Adobe Commerce

CVE-2025-24416Same product: Adobe Commerce

References

https://helpx.adobe.com/security/products/magento/apsb25-88.html
Vendor Advisory · psirt@adobe.com
https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://nullsecurityx.codes/cve-2025-54236-sessionreaper-unauthenticated-rce-in-magento
Broken Link, Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0