← Back
CVE-2025-54236
CISA KEV
critical
CVSS 9.1
[KEV] Vulnerability in Adobe commerce (CVE-2025-54236)
Summary
vulnerability in Adobe commerce (CVE-2025-54236). Confidential information can be exposed externally. Listed in CISA KEV — actively exploited.
AI summary openai / gpt-4o
A critical vulnerability has been discovered in Adobe Commerce and Magento systems, potentially allowing attackers to hijack customer accounts. This issue is part of a pattern seen in similar systems previously, necessitating urgent action. It is recommended to promptly apply the security patches provided by Adobe to prevent potential exploitation.
CVE-2025-54236 is a vulnerability in Adobe Commerce and Magento Open Source due to improper input validation, specifically in the Magento\Framework\Webapi\ServiceInputProcessor's getConstructorData() method. Attackers can exploit the Commerce REST API, such as /rest/V1/customers/{id}, to manipulate session data through file-based storage, leading to potential RCE. Affected versions are up to Adobe Commerce 2.4.9-alpha2. Mitigation requires the application of Adobe's hotfix patch.
❓ What is the problem
Adobe Commerce and Magento Open Source are vulnerable to improper input validation, allowing account hijacking and potential RCE via API endpoints and file-based session storage.
📍 Affected scope
Magento\Framework\Webapi\ServiceInputProcessor class, getConstructorData() method, affecting REST API endpoints, especially /rest/V1/customers/{id}.
🔥 Severity
Critical (CVSS v3: 9.1): Network-based attack, no authentication or user interaction necessary, can lead to account takeover and possibly RCE.
🔧 How to fix
Apply the hotfix patch VULN-32437-2-4-X-patch provided by Adobe.
🛡️ Workaround
No specific workaround available; patch application is recommended.
🔍 Detection
Monitor API requests to /rest/V1/customers/{id} for unusual patterns; ensure secure object serialization practices in place.
Related past incidents Similar incidents extracted from past CVEs
An earlier RCE vulnerability in Adobe Magento that allowed unauthorized file upload and execution, demonstrating similar attack vectors.
Improper input validation in a GraphQL API leading to RCE in Magento 2, highlighting recurring issues with API vulnerabilities.
Adobe's Magento had a RCE vulnerability via improper validation of user-provided data, similar in nature to the current risk.
If this happens at your company Expected impact per business scenario
📌 ECサイトの場合法
攻撃者が顧客アカウントに不正アクセスし、個人情報の盗難や取引の改ざんが可能になる。
📌 社内システムの場合法
攻撃者により認証情報が盗まれ、内部データへの不正アクセスが可能になる。
📌 小規模オンラインショップの場合法
攻撃によってシステムがダウンし、信頼性の失墜を招く。
Recommended action
企業はAdobe提供のホットフィックスを迅速に適用し、API呼び出しの監視を強化することを推奨します。
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'commerce' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `commerce` を grep し、稼働しているサービス・バージョンを把握する。
-
4Consider incident declaration escalate
Notify SOC / on-callCISA KEV登録済 = 実環境で悪用が観測されている。Step 3 で兆候があればインシデント対応宣言、無くてもパッチ適用までWAF強化を最優先で。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
References
- advisory NVD
- exploit 134c704f-9b21-4f2e-91b3-4a467353bcc0
- patch [email protected]
- patch 134c704f-9b21-4f2e-91b3-4a467353bcc0
- web 134c704f-9b21-4f2e-91b3-4a467353bcc0