Improper Input Validation in Adobe Commerce Products
CVE-2025-54236

9.1CRITICAL

Key Information:

Vendor: Adobe
Status: Adobe Commerce
Vendor: CVE Published:; 9 September 2025

Badges

📈 Trended📈 Score: 2,620💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 48%🦅 CISA Reported📰 News Worthy

What is CVE-2025-54236?

CVE-2025-54236 is a significant vulnerability found in Adobe Commerce products, specifically affecting versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier. This vulnerability arises from improper input validation, which can be exploited by attackers without requiring user interaction. When successfully exploited, it can lead to session takeover, thereby compromising the confidentiality and integrity of sensitive data and user sessions within the affected software. Adobe Commerce is a widely used platform for building and managing online stores, and any security flaw within its framework can lead to severe operational disruptions and potential financial losses for organizations using the platform.

Potential impact of CVE-2025-54236

Session Takeover: Attackers can leverage this vulnerability to gain unauthorized access to user sessions, potentially allowing them to impersonate legitimate users. This can lead to unauthorized transactions, data exfiltration, and a breach of customer trust.
High Impact on Confidentiality and Integrity: The exploitation of this flaw can significantly elevate risks to the confidentiality and integrity of both user data and organizational information. Once an attacker has access, they can manipulate or steal sensitive information, impacting the organization’s reputation and legal standing.
Increased Risk of Further Exploitation: The vulnerability can serve as a foothold for attackers to execute additional malicious activities within the affected systems, such as installing malware or extracting sensitive information, ultimately leading to increased risk and potential financial losses for the organization.

CISA has reported CVE-2025-54236

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-54236 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Adobe Commerce 0 <= 2.4.4-p15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

magento2-session-reaper-patch
Created by wubinworks

News Articles

CyberSecurityNews

CVE-2025-54236

Magento Input Validation Vulnerability Exploited In Wild To Hijack Session And Execute Malicious Codes

A critical vulnerability in Magento, the popular e-commerce platform, is now rebranded as Adobe Commerce. Dubbed SessionReaper and tracked as CVE-2025-54236, this improper input validation flaw allows attackers to hijack user sessions and, in some cases, execute malicious code remotely.

4 days ago

247news.com.pk

CVE-2025-54236

Hackers Can Hijack Accounts Without Logging In ‘SessionReaper’ Critical Flaw Hits Adobe Commerce and Magento - 247News

The National Computer Emergency Response Team (NCERT) has warned of a critical vulnerability—tracked as CVE-2025-54236 and dubbed SessionReaper in Adobe Commerce and Magento Open Source that allows attackers

5 days ago