What happened

Adobe Commerce, Adobe Commerce B2B, and Magento Open Source are impacted by CVE-2025-54236, an Improper Input Validation flaw leading to session takeover with high confidentiality and integrity impact NVD CVE-2025-54236. The issue is rated CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating unauthenticated, network-based exploitation with no user interaction and no availability impact NVD CVSS 3.1 vector. Active exploitation is confirmed by CISA’s Known Exploited Vulnerabilities catalog, elevating this from a theoretical risk to an operational incident for exposed stores CISA KEV listing.

Adobe lists affected release trains including 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier, with patching guidance published under APSB25-88 Adobe APSB25-88. The vendor also maintains a support KB entry accompanying the security update, which implementers should follow for deployment steps and known issues Adobe Experience League KB. The CVE record is corroborated by MITRE and the GitHub advisory index, confirming identifiers and impact class for downstream tooling MITRE CVE record, GitHub advisories index.

Why it matters

Pre-auth network exploitation with no user interaction means opportunistic scanning can compromise sessions at scale without phishing or credential stuffing prerequisites NVD vector: AV:N/PR:N/UI:N. Session takeover maps directly to high confidentiality and integrity impact, enabling unauthorized access and tampering within affected Commerce storefronts and admin contexts NVD impact metrics. With CISA confirming in-the-wild exploitation, organizations should assume active probing and prioritize emergency remediation windows for internet-exposed Magento/Commerce hosts CISA KEV confirmation.

Merchants processing orders continuously are at heightened risk because even brief exposure windows can yield session hijack, abuse of authenticated workflows, and downstream fraud or data exposure consistent with the high-impact scoring NVD CVSS scope. The breadth of affected version lines (multiple 2.4.x patch levels and earlier) increases the chance that unattended or lagging instances remain exploitable across environments Adobe APSB25-88.

Technical detail

CVE-2025-54236 is categorized as Improper Input Validation within Adobe Commerce/Magento request handling, providing a path to session takeover when malicious inputs are accepted without adequate sanitization or enforcement NVD description. The CVSS vector indicates exploitation is possible remotely over the network, has low attack complexity, requires no prior privileges, and needs no user interaction, aligning with an unauthenticated request path in typical web workflows NVD CVSS vector. Impact is limited to confidentiality and integrity (C:H/I:H) with no availability effect (A:N), which is consistent with session hijack scenarios rather than service disruption NVD impact fields.

Affected builds include Adobe Commerce 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier, as enumerated by Adobe’s security bulletin for Magento/Commerce Adobe APSB25-88 bulletin. The CVE assignment and metadata are mirrored in MITRE’s canonical record and aggregated by GitHub’s advisory index for ecosystem visibility and SBOM tooling MITRE CVE mirror, GitHub advisory search.

Given the pre-auth vector and session-focused impact, exploitation likely manifests via crafted HTTP requests interacting with authentication or session management endpoints in Magento/Commerce before login flows, as implied by the PR:N/UI:N metrics NVD vector details. The CISA KEV flag indicates real-world adversaries are achieving these conditions and obtaining session control on unpatched systems CISA KEV evidence.

Defense

Patch immediately to the fixed builds provided by Adobe under APSB25-88; schedule an emergency change window for all internet-facing Commerce/Magento instances and follow the vendor’s release notes and installation guidance Adobe APSB25-88. Where implementation specifics or mitigations are documented, align with the vendor’s support KB to avoid regressions and confirm post-install validation steps Adobe Experience League KB.

Prioritize remediation per CISA’s Known Exploited Vulnerabilities process and track compliance to the KEV due-date workflow to reduce organizational exposure windows CISA KEV prioritization. Validate whether your deployed versions match the affected matrix in APSB25-88, including staging and backup nodes, and close gaps in version drift before reopening external access Adobe affected versions.

For detection and IR, focus telemetry on anomalous session issuance and cookie/token reuse preceding authentication, which maps to the CVE’s session takeover impact profile and pre-auth network vector NVD impact and vector. Use the KEV designation as justification to escalate monitoring and threat hunting across Commerce frontends, including reviewing recent access logs for suspicious pre-login request patterns CISA KEV signal.

Lyrie Verdict

Pre-auth, no-interaction session hijack in a widely deployed commerce stack leaves no time for ticket queues; adversaries are already operational per CISA KEV, so detection and containment must hit machine speed CISA KEV confirmation. The CVSS vector (AV:N/PR:N/UI:N) demands autonomous pre-login inspection and session-anomaly correlation rather than post-auth user analytics, which aligns to how this class of vulnerability is reached NVD CVSS vector. Lyrie prioritizes this CVE class by keying detectors off pre-auth request flows and session materialization signals specific to Magento/Commerce patterns, enabling auto-containment before lateral movement or data tampering consistent with high C/I impact NVD impact profile.