Adobe Commerce Improper Input Validation (Session Takeover) 2.4.9alpha2 & prior
CVE-2025-54236 Published on September 9, 2025

Adobe Commerce | Improper Input Validation (CWE-20)
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

Vendor Advisory NVD

Known Exploited Vulnerability

This Adobe Commerce and Magento Improper Input Validation Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.

The following remediation steps are recommended / required by November 14, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2025-54236 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.


Products Associated with CVE-2025-54236

stack.watch emails you whenever new vulnerabilities are published in Adobe Commerce or Adobe Commerce. Just hit a watch button to start following.

Adobe Commerce
 
Adobe Commerce
 

Affected Versions

Adobe Commerce:

Exploit Probability

EPSS
73.72%
Percentile
98.80%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.