Detections
Analytics

CVE-2025-54236

critical

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

References

https://helpx.adobe.com/security/products/magento/apsb25-88.html

https://www.cisa.gov/news-events/alerts/2025/10/24/cisa-adds-two-known-exploited-vulnerabilities-catalog

https://securityaffairs.com/183815/security/u-s-cisa-adds-microsoft-wsus-and-adobe-commerce-and-magento-open-source-flaws-to-its-known-exploited-vulnerabilities-catalog.html

https://www.securityweek.com/exploitation-of-critical-adobe-commerce-flaw-puts-many-ecommerce-sites-at-risk/

https://www.malwarebytes.com/blog/news/2025/10/thousands-of-online-stores-at-risk-as-sessionreaper-attacks-spread

https://www.darkreading.com/vulnerabilities-threats/sessionreaper-adobe-commerce-flaw-under-attack

https://securityaffairs.com/183754/hacking/over-250-attacks-hit-adobe-commerce-and-magento-via-critical-cve-2025-54236-flaw.html

https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-sessionreaper-flaw-in-adobe-magento/

https://securityaffairs.com/182075/security/critical-flaw-sessionreaper-in-commerce-and-magento-platforms-lets-attackers-hijack-customer-accounts.html

https://www.securityweek.com/adobe-patches-critical-coldfusion-and-commerce-vulnerabilities/

https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessionreaper-flaw-in-magento-ecommerce-platform/

https://thehackernews.com/2025/09/adobe-commerce-flaw-cve-2025-54236-lets.html

https://sansec.io/research/sessionreaper

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236

https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397

Details

Source: Mitre, NVD

Published: 2025-09-09

Updated: 2025-10-30

Named Vulnerability: SessionReaperKnown Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical

EPSS

EPSS: 0.44425

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest