What is the CVSS score of CVE-2025-54236?

CVE-2025-54236 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 73.7%.

Which versions of Adobe are affected by CVE-2025-54236?

Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 contains a critical session hijacking vulnerability (CVE-2025-54236) that allows unauthenticated attackers to take over active user sessions,…

Is there a public PoC exploit available for CVE-2025-54236?

Yes, a public proof-of-concept exploit is available for CVE-2025-54236. Prioritise patching immediately. EPSS: 73.7%.

How to fix or mitigate CVE-2025-54236?

Within 24 hours: (1) Identify all systems running Adobe Commerce 2.4.x through 2.4.9-alpha2 using asset inventory; (2) Enable detailed session logging and monitoring for unauthorized account access; (3) Invalidate all active user sessions and require re-authentication. Within 7 days: (1) Apply all available security patches from Adobe; (2) If no patch is available for your specific version, isolate affected systems behind additional authentication controls (WAF rules, IP allowlisting, multi-factor authentication enforcement); (3) Conduct forensic review of administrative and customer session logs for unauthorized access between CVE disclosure and remediation. Within 30 days: (1) Complete upgrade to a patched Adobe Commerce version; (2) Audit all customer accounts for unauthorized modifications, password changes, or data access; (3) Implement session management hardening (shorter session timeouts, secure session storage).

Adobe CVE-2025-54236

CRITICAL

Improper Input Validation (CWE-20)

2025-09-09 psirt@adobe.com

GHSA-wh92-6q6g-px7j

Adobe Information Disclosure

9.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 20, 2026 - 13:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 20, 2026 - 13:22 vuln.today

cvss_changed

Added to CISA KEV

Apr 09, 2026 - 01:00 cisa

CISA KEV

PoC Detected

Apr 09, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Mar 13, 2026 - 00:30 vuln.today

CVE Published

Sep 09, 2025 - 14:15 nvd

CRITICAL 9.1

DescriptionCVE.org

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

AnalysisAI

Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take over active user sessions via improper input validation, confirmed actively exploited (CISA KEV). With 73.72% EPSS score (99th percentile) and public exploit code available, this represents a critical, widespread threat to e-commerce platforms. Attackers gain unauthorized access to user accounts including administrative sessions without requiring victim interaction.

Technical ContextAI

Adobe Commerce (formerly Magento) is an enterprise e-commerce platform built on PHP/MySQL. This vulnerability stems from CWE-20 (Improper Input Validation) in the session management layer. The affected CPE range shows all 2.4.x releases from 2.4.4 baseline through 2.4.9-alpha2, including all security patches up to p15 in the 2.4.4 line, p14 in 2.4.5, p12 in 2.4.6, p7 in 2.4.7, and p2 in 2.4.8. The validation flaw allows manipulation of session tokens or identifiers through HTTP requests, bypassing authentication mechanisms that should prevent unauthorized session access. The network attack vector (AV:N) with low complexity (AC:L) indicates the vulnerability is exploitable through standard web protocols without requiring complex preconditions or race conditions.

RemediationAI

Upgrade immediately to patched versions released by Adobe in APSB25-88: Adobe Commerce 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, or 2.4.4-p16 depending on your baseline version. The Experience League knowledge base article (experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397) provides deployment-specific upgrade procedures. For organizations unable to immediately patch, implement emergency compensating controls: enable IP allowlisting for administrative access (limits attack surface but breaks legitimate remote admin workflows), implement additional session validation through Web Application Firewall rules targeting suspicious session token patterns (requires WAF capability and custom rule development, may cause false positives), and enforce session timeout reduction to 15 minutes or less (degrades user experience but limits hijacked session lifespan). Monitor authentication logs for anomalous session creation patterns and unusual administrative actions. These mitigations reduce but do not eliminate risk; patching remains the only complete remediation given the unauthenticated network attack vector.