Improper Input Validation in Adobe Commerce Products
CVE-2025-54236

9.1CRITICAL

Key Information:

Vendor

Adobe
Status
Adobe Commerce
Vendor
CVE Published:
9 September 2025

Badges

📈 Trended📈 Score: 2,430👾 Exploit Exists📰 News Worthy

What is CVE-2025-54236?

CVE-2025-54236 is a significant vulnerability found in Adobe Commerce products, specifically affecting versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier. This vulnerability arises from improper input validation, which can be exploited by attackers without requiring user interaction. When successfully exploited, it can lead to session takeover, thereby compromising the confidentiality and integrity of sensitive data and user sessions within the affected software. Adobe Commerce is a widely used platform for building and managing online stores, and any security flaw within its framework can lead to severe operational disruptions and potential financial losses for organizations using the platform.

Potential impact of CVE-2025-54236

  1. Session Takeover: Attackers can leverage this vulnerability to gain unauthorized access to user sessions, potentially allowing them to impersonate legitimate users. This can lead to unauthorized transactions, data exfiltration, and a breach of customer trust.

  2. High Impact on Confidentiality and Integrity: The exploitation of this flaw can significantly elevate risks to the confidentiality and integrity of both user data and organizational information. Once an attacker has access, they can manipulate or steal sensitive information, impacting the organization’s reputation and legal standing.

  3. Increased Risk of Further Exploitation: The vulnerability can serve as a foothold for attackers to execute additional malicious activities within the affected systems, such as installing malware or extracting sensitive information, ultimately leading to increased risk and potential financial losses for the organization.

Affected Version(s)

Adobe Commerce 0 <= 2.4.4-p15

News Articles

favicon imageThe Hacker News

Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts

Adobe Commerce CVE-2025-54236 allows account takeover; hotfix and WAF deployed to block attacks.

1 month ago

favicon imageBleepingComputer

Adobe patches critical SessionReaper flaw in Magento eCommerce platform

Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of 

1 month ago

References

https://helpx.adobe.com/security/products/magento/apsb25-...
vendor-advisory

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-54236 : Improper Input Validation in Adobe Commerce Products