← back
CVE-2025-54236

Adobe Commerce | Improper Input Validation (CWE-20)

CVSS 9.1 CRITICALEPSS 96.7%● KEVCWE-20
In short

Adobe Commerce has a flaw that fails to properly check user input, allowing attackers to take over customer or admin sessions without any user action. This gives attackers full access to accounts and sensitive data.

Technical detail

Improper input validation in affected Adobe Commerce versions (2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier) enables unauthenticated session hijacking. The vulnerability allows attackers to craft malicious input that bypasses validation controls, leading to unauthorized session establishment without requiring user interaction, resulting in high confidentiality and integrity impact.

Summary generated and translated by AI from the official description.
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
Adobe · Adobe Commerce
public PoCs found7
githubgithub.com/wubinworks/magento2-session-reaper-patch3githubgithub.com/alexb616/SessionReaper-CVE-2025-542361githubgithub.com/Baba01hacker666/cve-2025-542360githubgithub.com/amalpvatayam67/day01-sessionreaper-lab0githubgithub.com/brito101/session_reaper_lab0githubgithub.com/Jenderal92/magento-upload-auto-submit-zoneh0cve_referencenullsecurityx.codes/cve-2025-54236-sessionreaper-unauthenticated-rce-in-magentounverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397https://helpx.adobe.com/security/products/magento/apsb25-88.htmlhttps://nullsecurityx.codes/cve-2025-54236-sessionreaper-unauthenticated-rce-in-magentohttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236