External risk intelligence

Adobe Commerce Attacker takeover customer accounts and sensitive data

CVE advisoryKnown Exploit

CVE-2025-54236

Adobe Commerce versions are affected by a critical vulnerability allowing attackers to take over customer accounts without any interaction, potentially exposing sensitive data. Act now to secure your e-commerce platform.

4Halo Surface Signal

Adobe Commerce

2.4.42.4.52.4.62.4.7

External exposure likelihood

Halo Surface Signal score for CVE-2025-54236

Adobe Commerce is a public-facing e-commerce platform. The REST API component targeted by this vulnerability is commonly exposed to the internet to facilitate storefront operations, customer account management, and API interactions for online sales, making public accessibility a standard deployment configuration.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Adobe Commerce allows an unauthorized person to take over user accounts. Attackers can exploit this issue remotely, without any interaction from the user, to gain unauthorized access to sensitive information and make changes to data.

E-commerce platforms are a target.
User accounts and data are at risk.
No user interaction needed for attack.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending crafted requests to the Commerce REST API. This allows them to hijack active user sessions, gaining unauthorized access to user accounts and sensitive data. The attacker would specifically target the API endpoints responsible for session management to achieve this session takeover.

No user interaction needed.
Target the Commerce REST API.
Session management flaws exploited.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability is highly likely to be weaponized. Attackers target e-commerce platforms because they offer direct access to sensitive customer data and financial information, making session takeover a valuable attack vector for immediate monetization or further compromise. The lack of user interaction and network exploitability further increase its attractiveness.

Exploited via public exploit.
Listed on CISA's KEV.
Recent KEV listing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Adobe Commerce versions 2.4.4 through 2.4.9-alpha2. This critical vulnerability allows unauthenticated session takeover, directly impacting confidentiality and integrity. Given its inclusion on the Known Exploited Vulnerabilities catalog and high EPSS score, immediate action is required to prevent compromise.

Apply available patches or upgrade.
Restrict network access to the Commerce REST API.
Monitor for unauthorized session activity.

Frequently asked questions

What is Adobe Commerce and what is it used for?

Adobe Commerce, formerly known as Magento, is a flexible and scalable e-commerce platform designed for mid- to large-scale enterprises. It empowers businesses to create personalized B2B and B2C shopping experiences, manage multiple brands and channels, and integrate with other Adobe Experience Cloud solutions. Businesses utilize it for online sales, customer account management, and orchestrating cross-channel customer journeys.

What type of vulnerability is CVE-2025-54236?

CVE-2025-54236 is an Improper Input Validation vulnerability (CWE-20). This flaw allows an unauthenticated attacker to submit malformed API requests, which can lead to session takeover and compromise of confidentiality and integrity.

How can CVE-2025-54236 be exploited?

An unauthenticated attacker can exploit this vulnerability by sending crafted requests to the Commerce REST API. This allows them to hijack active user sessions, gaining unauthorized access to user accounts and sensitive data. The attack targets API endpoints responsible for session management. No user interaction is required for exploitation.

What is the relevance of CVE-2025-54236?

This vulnerability is highly likely to be weaponized because it targets public-facing e-commerce platforms, offering direct access to sensitive customer and financial data. Its inclusion on CISA's Known Exploited Vulnerabilities catalog and a high EPSS score indicate significant threat actor interest and potential for exploitation. The Halo Surface Signal indicates this is a likely threat due to the public-facing nature of the targeted component.

What actions should be taken to address CVE-2025-54236?

It is critical to prioritize patching Adobe Commerce versions 2.4.4 through 2.4.9-alpha2. Apply available patches or upgrade to secure versions of the software. Additionally, consider restricting network access to the Commerce REST API where feasible and actively monitor for any unauthorized session activity.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.