CVE-2025-54236 · Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Vali

01 · The Real Story

This is a public checkout lane that lets strangers swap the receipt printer for their own

CVE-2025-54236 is an improper input validation flaw in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source that lets an unauthenticated attacker abuse the Commerce REST API for customer session takeover, and in some chains for remote code execution. Adobe lists Adobe Commerce 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, 2.4.4-p15 and earlier; B2B 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, 1.3.3-p15 and earlier; and the magento/out-of-process-custom-attributes module 0.1.0 to 0.3.0 requiring upgrade to 0.4.0+.

The vendor's CRITICAL 9.1 label is basically right. The only serious downward friction is that the nastiest RCE path appears to depend on file-based session storage and adjacent upload behavior, but that does not rescue this issue: the reachable attack surface is still a public web API on internet-facing commerce sites, exploitation is in the wild, CISA added it to KEV on 2025-10-24, and account takeover on a live storefront already carries direct fraud and brand damage even before you get to shell access.

"KEV-listed, internet-facing, no-auth abuse on a revenue platform: treat SessionReaper as a live-fire critical."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the public REST surface

The attacker targets internet-exposed Adobe Commerce or Magento endpoints, typically the REST API that storefront integrations already expose. This is a pure remote entry point: no credentials, no user click, no prior foothold required.

Conditions required:

Target runs an affected Adobe Commerce/Magento version
Commerce REST API is reachable from the internet

Where this breaks in practice:

Only organizations actually running Adobe Commerce/Magento are in scope
Some merchants front the app with WAF rules or CDN protections that may block the most obvious payloads

Detection/coverage: External scanners can usually fingerprint Magento/Adobe Commerce presence and often version family, but exact hotfix state is harder to prove remotely.

STEP 02

Send a nested deserialization payload

Using tooling as simple as curl, or later publicized exploit chains such as the Metasploit exploit/multi/http/magento_sessionreaper module, the attacker sends crafted nested input to vulnerable Web API handling. The weakness sits in server-side processing, so normal customer traffic patterns can mask early probing.

Conditions required:

Vulnerable ServiceInputProcessor code path is present
Attacker can submit crafted JSON to relevant REST endpoints

Where this breaks in practice:

Payload quality matters; malformed objects often just error out
Good WAF signatures can break commodity exploit attempts, though not all chains

Detection/coverage: Look for abnormal nested object structures, repeated 400/500 responses against /rest/ paths, and WAF hits around deserialization-like payloads.

STEP 03

Take over sessions or accounts

Successful exploitation can corrupt or replace trusted session state, letting the attacker hijack customer sessions and operate as the victim. That means direct fraud paths: account access, order manipulation, wallet/loyalty abuse, and harvesting personal data.

Conditions required:

Application accepts the malicious object graph
Attacker can steer session handling through the vulnerable workflow

Where this breaks in practice:

Blast radius may begin at customer-account scope rather than immediate host takeover
Behavioral fraud controls can expose abuse after the initial takeover

Detection/coverage: Application logs, customer session anomalies, impossible-travel logins, sudden address/payment changes, and API writes under unexpected sessions are the best signals.

STEP 04

Escalate to code execution where the deployment allows it

Public research and the Rapid7 module describe a stronger chain that combines the deserialization bug with unauthenticated file upload behavior, especially on deployments using file-based session storage. In that case the attacker can land a PHP backdoor and execute commands on the server.

Conditions required:

File-based session storage or equivalent exploitable session/file handling is in use
Upload path and execution path are both reachable
Attacker has a working payload chain, not just a generic probe

Where this breaks in practice:

This is the biggest real-world limiter: Redis or database-backed sessions make the cleanest RCE chain less direct
Hardened file permissions, non-executable upload paths, and better WAF coverage can break the final leg

Detection/coverage: Scan for new PHP files in pub/ and customer upload directories, suspicious session files, phpinfo() probes, webshell filenames, and Sansec-published IoCs.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	Confirmed active exploitation. Adobe amended APSB25-88 on 2025-10-22 to say it is aware of exploitation in the wild, and Sansec reported mass attacks starting 2025-10-22.
KEV status	YES. CISA KEV entry added 2025-10-24 with due date 2025-11-14 per NVD's KEV mirror.
PoC / weaponization	Publicly weaponized. NVD links a third-party exploit write-up from NullSecurityX, and Rapid7 published a Metasploit module `magento_sessionreaper` describing a 3-step unauthenticated chain.
EPSS	`0.72152` from the supplied intel, which is very high exploit probability. I did not independently verify the exact percentile, but the score itself is already enough to put this above normal patch noise.
CVSS vector meaning	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` means internet-reachable, low-complexity, no-auth, no-click abuse with high confidentiality and integrity impact. That lines up with real storefront risk.
Affected ranges	Adobe lists Adobe Commerce through `2.4.9-alpha2`, `2.4.8-p2`, `2.4.7-p7`, `2.4.6-p12`, `2.4.5-p14`, `2.4.4-p15`; matching Magento Open Source ranges; B2B through `1.5.3-alpha2`, `1.5.2-p2`, `1.4.2-p7`, `1.3.4-p14`, `1.3.3-p15`; plus `magento/out-of-process-custom-attributes` `0.1.0-0.3.0`.
Fixed versions / backports	Initial remediation was the standalone hotfix `VULN-32437-2-4-X-patch`; Adobe also says to upgrade `magento/out-of-process-custom-attributes` to `0.4.0+` where installed. The emergency fix was later folded into Adobe's regular Commerce security updates, including `APSB25-94`.
Exposure / attack telemetry	Sansec says automated attacks hit over 50% of stores globally, with 31% of stores reached by 2025-10-24, 49% by 2025-10-26, and 81% visited by 2025-11-01. I did not verify a trustworthy Shodan/Censys census in primary sources, so use this as attack telemetry rather than total internet exposure.
Disclosure and timeline	Adobe published APSB25-88 on 2025-09-09. Adobe's action-required article was updated 2025-09-18; exploitation acknowledgement was added to the bulletin on 2025-10-22; priority was raised on 2025-10-24.
Reporter / researcher	Adobe credits blaklis. Rapid7's exploit module also lists Blaklis, Tomais Williamson, and Valentin Lobstein as authors.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to CRITICAL (9.4/10)

The decisive factor is attacker position: this starts from unauthenticated remote access to an internet-facing commerce API, not from an internal foothold or privileged role. The main friction only narrows the path from host-level RCE to the cleanest chains; it does not materially reduce the business impact of live, in-the-wild account takeover on public storefronts.

HIGH Severity bucket for internet-facing Adobe Commerce/Magento deployments

MEDIUM How often the exploitation chain reaches full RCE versus session/account takeover only

Why this verdict

No-auth remote starting point: the chain begins from unauthenticated remote access over the network, which means no phishing stage, no local code execution, and no stolen credential prerequisite.
Public-facing population within the affected product set: Adobe Commerce stores are meant to be reachable from the internet; the vulnerable surface is not some buried admin-only RPC port.
Active exploitation and KEV are real amplifiers: KEV listing on 2025-10-24 plus Adobe's in-the-wild acknowledgement move this from theoretical critical to operationally urgent critical.
Downward adjustment audited and rejected as insufficient: the strongest RCE chain appears to depend on file-based sessions and adjacent upload behavior, which would normally shave the score down a bit, but the remaining session takeover path is still severe enough to keep the bucket at CRITICAL.
Modern controls are imperfect here: WAF can help, and Adobe Cloud/Fastly got protections, but third-party research says coverage was partial and public weaponization arrived quickly.

Why not higher?

There is real friction on the absolute worst-case outcome. Full unauthenticated RCE appears to rely on deployment-specific conditions such as file-based session storage and workable upload/execution paths, so this is not the cleanest universal one-packet-to-shell bug across every Magento estate.

Why not lower?

Lowering this would ignore the two facts that matter most to defenders: the attack starts unauthenticated from the internet, and it is already exploited in the wild. Even if some environments blunt the RCE chain, customer session takeover on a public revenue platform is still a business-critical incident class.

05 · Compensating Control

What to do — in priority order.

Block hostile REST patterns now — Deploy or tune WAF/CDN rules for suspicious nested object payloads and abusive /rest/ requests immediately, within hours because this is KEV-listed and actively exploited. This is the fastest way to cut exposure while patch validation catches up.
Disable or restrict risky upload paths — Constrain unauthenticated customer upload controllers and ensure upload directories are non-executable immediately, within hours. This specifically attacks the higher-severity chains that turn session abuse into file drop or webshell placement.
Hunt for webshells and rogue session artifacts — Search pub/, customer upload locations, and session storage for newly created PHP files, phpinfo() probes, or Sansec-style backdoor patterns immediately, within hours. On already-exposed storefronts, compromise assessment is part of mitigation, not a nice-to-have.
Prefer non-file session backends where feasible — If your deployment still uses file-based sessions, prioritize moving to Redis or database-backed sessions as a hardening measure within the CRITICAL window. It does not solve the base bug, but it raises friction on the most dangerous public exploit chains.
Verify patch state host-by-host — Do not trust version strings alone; Adobe explicitly notes patch state can be hard to determine. Use package and patch-status checks immediately, within hours so you can separate truly remediated nodes from cosmetics.

What doesn't work

Relying on perimeter firewalls alone doesn't help because the vulnerable surface is the intended public web/API interface.
MFA does not stop this chain because exploitation does not require valid credentials.
A version-only inventory is not enough, because Adobe shipped a standalone hotfix and later folded fixes into regular releases; patch state can diverge from plain package version.
Blocking only one published endpoint path is weak protection, because public research shows multiple ways to reach vulnerable behaviors and adjacent upload flows.

06 · Verification

Crowdsourced verification payload.

Run this on each Magento/Adobe Commerce application host with read access to the install root, for example: sudo bash check_cve_2025_54236.sh /var/www/html. It needs permission to read composer.lock, composer.json, and—if present—run vendor/bin/magento-patches -n status; it does not require internet access.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2025_54236.sh
# Detect likely exposure to CVE-2025-54236 (SessionReaper) on Adobe Commerce / Magento.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / usage / not a Magento root

set -u

ROOT="${1:-}"
if [ -z "$ROOT" ]; then
  echo "UNKNOWN - usage: $0 /path/to/magento-root"
  exit 2
fi

if [ ! -d "$ROOT" ]; then
  echo "UNKNOWN - path does not exist: $ROOT"
  exit 2
fi

LOCK="$ROOT/composer.lock"
JSON="$ROOT/composer.json"
PATCH_TOOL="$ROOT/vendor/bin/magento-patches"
SIP="$ROOT/vendor/magento/framework/Webapi/ServiceInputProcessor.php"

if [ ! -f "$LOCK" ] && [ ! -f "$JSON" ]; then
  echo "UNKNOWN - composer files not found; not a recognizable Magento root"
  exit 2
fi

# Parse product version from composer.lock first, then composer.json as fallback.
get_version() {
  local file="$1"
  awk '
    BEGIN{pkg=""; ver=""}
    /"name": "magento\/product-community-edition"/ {pkg="community"}
    /"name": "magento\/product-enterprise-edition"/ {pkg="enterprise"}
    pkg != "" && /"version":/ {
      gsub(/[",]/, "", $2);
      print $2;
      exit
    }
  ' "$file" 2>/dev/null
}

PRODUCT_VERSION=""
if [ -f "$LOCK" ]; then
  PRODUCT_VERSION="$(get_version "$LOCK")"
fi
if [ -z "$PRODUCT_VERSION" ] && [ -f "$JSON" ]; then
  PRODUCT_VERSION="$(get_version "$JSON")"
fi

# Parse custom attributes module version if present.
get_module_version() {
  local file="$1"
  awk '
    BEGIN{pkg=""}
    /"name": "magento\/out-of-process-custom-attributes"/ {pkg="yes"}
    pkg == "yes" && /"version":/ {
      gsub(/[",]/, "", $2);
      print $2;
      exit
    }
  ' "$file" 2>/dev/null
}

MODULE_VERSION=""
if [ -f "$LOCK" ]; then
  MODULE_VERSION="$(get_module_version "$LOCK")"
fi

# Check if Adobe hotfix appears applied via QPT / magento-patches.
PATCH_EVIDENCE="no"
PATCH_STATUS_OUTPUT=""
if [ -x "$PATCH_TOOL" ]; then
  PATCH_STATUS_OUTPUT="$($PATCH_TOOL -n status 2>/dev/null || true)"
  if echo "$PATCH_STATUS_OUTPUT" | grep -Eiq '32437|54236|Applied'; then
    if echo "$PATCH_STATUS_OUTPUT" | grep -Eiq '32437|54236'; then
      PATCH_EVIDENCE="yes"
    fi
  fi
fi

# Fallback: inspect ServiceInputProcessor for strings commonly introduced by the fix.
FILE_EVIDENCE="no"
if [ -f "$SIP" ]; then
  if grep -Eq 'is not supported\. Correct the field name and try again|Unsupported parameter type for|does not have accessor method' "$SIP"; then
    FILE_EVIDENCE="possible"
  fi
fi

is_vulnerable_version() {
  local v="$1"
  # Explicitly vulnerable ranges from Adobe guidance.
  case "$v" in
    2.4.9-alpha1|2.4.9-alpha2) return 0 ;;
    2.4.8|2.4.8-p1|2.4.8-p2) return 0 ;;
    2.4.7|2.4.7-p1|2.4.7-p2|2.4.7-p3|2.4.7-p4|2.4.7-p5|2.4.7-p6|2.4.7-p7) return 0 ;;
    2.4.6|2.4.6-p1|2.4.6-p2|2.4.6-p3|2.4.6-p4|2.4.6-p5|2.4.6-p6|2.4.6-p7|2.4.6-p8|2.4.6-p9|2.4.6-p10|2.4.6-p11|2.4.6-p12) return 0 ;;
    2.4.5|2.4.5-p1|2.4.5-p2|2.4.5-p3|2.4.5-p4|2.4.5-p5|2.4.5-p6|2.4.5-p7|2.4.5-p8|2.4.5-p9|2.4.5-p10|2.4.5-p11|2.4.5-p12|2.4.5-p13|2.4.5-p14) return 0 ;;
    2.4.4|2.4.4-p1|2.4.4-p2|2.4.4-p3|2.4.4-p4|2.4.4-p5|2.4.4-p6|2.4.4-p7|2.4.4-p8|2.4.4-p9|2.4.4-p10|2.4.4-p11|2.4.4-p12|2.4.4-p13|2.4.4-p14|2.4.4-p15) return 0 ;;
    *) return 1 ;;
  esac
}

module_needs_upgrade() {
  local v="$1"
  case "$v" in
    0.1.0|0.2.0|0.3.0) return 0 ;;
    *) return 1 ;;
  esac
}

DETAILS="product_version=${PRODUCT_VERSION:-unknown}; module_version=${MODULE_VERSION:-not-installed}; patch_tool=$([ -x "$PATCH_TOOL" ] && echo present || echo absent); patch_evidence=$PATCH_EVIDENCE; file_evidence=$FILE_EVIDENCE"

if [ "$PATCH_EVIDENCE" = "yes" ]; then
  echo "PATCHED - Adobe hotfix evidence found; $DETAILS"
  exit 0
fi

if [ -n "$PRODUCT_VERSION" ] && is_vulnerable_version "$PRODUCT_VERSION"; then
  if [ -n "$MODULE_VERSION" ] && module_needs_upgrade "$MODULE_VERSION"; then
    echo "VULNERABLE - affected Commerce/Magento version and custom attributes module needs upgrade; $DETAILS"
    exit 1
  fi
  echo "VULNERABLE - affected Commerce/Magento version with no confirmed hotfix evidence; $DETAILS"
  exit 1
fi

if [ "$FILE_EVIDENCE" = "possible" ]; then
  echo "UNKNOWN - code may contain fix-like strings but no authoritative hotfix evidence; $DETAILS"
  exit 2
fi

echo "UNKNOWN - not in explicitly vulnerable version list or patch state cannot be proven from local artifacts; $DETAILS"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: pull your internet-facing Adobe Commerce/Magento inventory, verify which nodes are actually exposed, and assume unpatched public stores are incident candidates until proven otherwise. Because this is KEV-listed and actively exploited, patch / mitigate immediately, within hours overrides the normal timetable; use the noisgate mitigation SLA to justify emergency WAF/upload restrictions and compromise checks right now, then complete vendor hotfix or supported upgraded builds under the noisgate remediation SLA for CRITICAL issues, which is ≤ 90 days—but in practice, for exposed storefronts, you should not be letting this wait anywhere near that long.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.