Vulnerability Details CVE-2025-54236
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.385
EPSS Ranking 97.1%
CVSS Severity
CVSS v3 Score 9.1
Proposed Action
Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.
Ransomware Campaign
Unknown
References
- https://helpx.adobe.com/security/products/magento/apsb25-88.html
- https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397
- https://nullsecurityx.codes/cve-2025-54236-sessionreaper-unauthenticated-rce-in-magento
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236
Products affected by CVE-2025-54236
-
cpe:2.3:a:adobe:commerce:2.4.4
-
cpe:2.3:a:adobe:commerce:2.4.5
-
cpe:2.3:a:adobe:commerce:2.4.6
-
cpe:2.3:a:adobe:commerce:2.4.7
-
cpe:2.3:a:adobe:commerce:2.4.8
-
cpe:2.3:a:adobe:commerce:2.4.9
-
cpe:2.3:a:adobe:commerce_b2b:1.3.3
-
cpe:2.3:a:adobe:commerce_b2b:1.3.4
-
cpe:2.3:a:adobe:commerce_b2b:1.4.2
-
cpe:2.3:a:adobe:commerce_b2b:1.5.2
-
cpe:2.3:a:adobe:commerce_b2b:1.5.3
-
cpe:2.3:a:adobe:magento:2.4.5
-
cpe:2.3:a:adobe:magento:2.4.6
-
cpe:2.3:a:adobe:magento:2.4.7
-
cpe:2.3:a:adobe:magento:2.4.8
-
cpe:2.3:a:adobe:magento:2.4.9