How to fix CVE-2025-54236?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Is Adobe affected by CVE-2025-54236?

CVE-2025-54236 presents critical security risk, a input validation vulnerability rated CVSS 9.1. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems.

CVE-2025-54236

CRITICAL

2025-09-09 [email protected]

GHSA-wh92-6q6g-px7j

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Added to CISA KEV

Apr 09, 2026 - 01:00 cisa

CISA KEV

PoC Detected

Apr 09, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Mar 13, 2026 - 00:30 vuln.today

CVE Published

Sep 09, 2025 - 14:15 nvd

CRITICAL 9.1

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

Analysis

Adobe Commerce (Magento) contains an improper input validation vulnerability (CVE-2025-54236, CVSS 9.1) that enables unauthenticated session takeover with high confidentiality and integrity impact. KEV-listed with EPSS 73.7% and public PoC, this vulnerability threatens every Adobe Commerce storefront, potentially exposing customer payment data, order information, and administrative access to thousands of e-commerce sites.

Technical Context

The vulnerability exploits insufficient validation of session-related input, allowing an attacker to take over existing sessions without authentication. In an e-commerce context, this means access to customer accounts (with stored payment methods, addresses, order history) and potentially administrative accounts (with access to payment processing configuration, customer databases, and store management). Adobe Commerce powers a significant portion of enterprise e-commerce.

Affected Products

['Adobe Commerce 2.4.9-alpha2 and earlier', 'Adobe Commerce 2.4.8-p2 and earlier', 'Adobe Commerce 2.4.7-p7 and earlier', 'Adobe Commerce 2.4.6-p12 and earlier', 'Adobe Commerce 2.4.5-p14 and earlier', 'Adobe Commerce 2.4.4-p15 and earlier']

Remediation

Apply Adobe security update immediately. This has PCI DSS implications — notify payment processor if exploitation is suspected. Review admin accounts for unauthorized additions. Scan checkout pages for injected JavaScript skimmers. Monitor for unauthorized order or customer data exports. Enable admin session IP binding.

Priority Score

189

Low Medium High Critical

KEV: +50

EPSS: +73.7

CVSS: +46

POC: +20

CVE-2025-54236 vulnerability details – vuln.today

Back

CVE-2025-54236

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-54236

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code