Overview
Adobe Commerce versions 2.4.9-alpha2 and earlier contain an improper input validation vulnerability that can lead to security feature bypass. This flaw enables attackers to achieve session takeover without requiring any user interaction, posing a critical risk to e-commerce installations. The vulnerability was disclosed on September 9, 2025. CISA has identified CVE-2025-54236 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Adobe Commerce contains an improper input validation vulnerability in a critical security mechanism. The vulnerability allows attackers to bypass security features that protect user sessions, enabling unauthorized session takeover. The flaw exists in how the application validates and processes user input related to session management or authentication tokens.
The vulnerability is classified as CWE-20 (Improper Input Validation) , CWE-384 (Session Fixation) andCWE-613 (Insufficient Session Expiration) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
An unauthenticated attacker can exploit this vulnerability to bypass security features and take over legitimate user sessions. This could result in: - **Account Takeover**: Complete control over customer or admin accounts - **Data Breach**: Access to sensitive customer data, payment information, and order history - **Unauthorized Transactions**: Ability to place orders, modify purchases, or process refunds - **Admin Access**: In worst-case scenarios, attackers could gain administrative privileges - **Store Compromise**: Potential to modify product listings, steal customer data, or inject malicious content - **Reputation Damage**: Loss of customer trust and compliance violations (PCI-DSS, GDPR) - **Financial Loss**: Direct losses from fraudulent transactions and remediation costs
Mitigation and workarounds
1. Backup your Adobe Commerce installation including database and media files 2. Download the latest security patch from Adobe Commerce Security Center 3. Apply the patch using composer: ``` composer require adobe-commerce/magento-cloud-patches ./bin/magento setup:upgrade ./bin/magento cache:clean ``` 4. If using Magento Cloud, the patch will be automatically applied 5. Verify the patch installation by checking the version number 6. Clear all user sessions to prevent exploitation of existing tokens: ``` ./bin/magento session:clear ``` The following versions include the necessary fixes: Adobe Commerce 2.4.8-p4 or later, Magento Open Source 2.4.8-p4 or later, Adobe Commerce 2.4.9 release version (stable, when available).
As temporary workarounds: immediately invalidate all active user sessions and force users to re-authenticate. implement temporary additional session validation controls.; restrict access to adobe commerce admin panel to specific ip addresses or networks to reduce attack surface.; enable web application firewall (waf) rules to detect and block suspicious session-related requests and input patterns., and monitor session logs and authentication attempts for anomalies; implement real-time alerting for suspicious activities..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
