⚠ Actively exploited

Added to CISA KEV on 2025-10-24. Federal agencies required to patch by 2025-11-14. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-54236 — Improper Input Validation in Adobe Commerce

CWE-20 — Improper Input Validation12 documents10 sources

Severity

9.1CRITICALNVD

EPSS

70.1%

top 1.32%

CISA KEV

KEV

Added 2025-10-24

Due 2025-11-14

Exploit

PoC available

Public exploit / PoC exists

Affected products

Adobe Commerce Magento Community-edition Magento Project-community-edition +3 more

Timeline

PublishedSep 9

KEV addedOct 24

KEV dueNov 14

Latest updateNov 25

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages6 packages

▶CVEListV5adobe/adobe_commerce2.4.4-p15

▶NVDadobe/commerce6 versions+5

▶NVDadobe/commerce_b2b5 versions+4

▶NVDadobe/magento5 versions+4

▶Packagistmagento/community-edition2.4.6-p1 — 2.4.6-p12+4

🔴Vulnerability Details

GHSA

Magento Community Edition Improper Input Validation vulnerability↗2025-09-09

▶

CVEList

Adobe Commerce | Improper Input Validation (CWE-20)↗2025-09-09

▶

OSV

Magento Community Edition Improper Input Validation vulnerability↗2025-09-09

▶

VulnCheck

Adobe Commerce and Magento Improper Input Validation Vulnerability↗2025

▶

💥Exploits & PoCs

Metasploit

Magento SessionReaper↗

▶

Nuclei

Adobe Commerce - Authentication Bypass

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Adobe Commerce & Magento REST API SessionReaper Execution (CVE-2025-54236)↗2025-11-25

▶

Suricata

ET WEB_SPECIFIC_APPS Adobe Commerce & Magento SessionReaper Unauthenticated Remote Code Execution (CVE-2025-54236)↗2025-10-24

▶

📋Vendor Advisories

CISA

Adobe Commerce and Magento Improper Input Validation Vulnerability↗2025-10-24

▶

🕵️Threat Intelligence

Bleepingcomputer

Hackers exploiting critical "SessionReaper" flaw in Adobe Magento↗2025-10-22

▶

Bleepingcomputer

Adobe patches critical SessionReaper flaw in Magento eCommerce platform↗2025-09-09

▶