Introduction
Session hijacking and administrative account takeover have immediate consequences for e-commerce businesses. The recent CVE-2025-54236 vulnerability in Adobe Commerce and Magento has triggered an emergency response from Adobe, with a critical patch released outside the regular schedule to address the risk of widespread compromise.
Adobe Commerce (formerly Magento) is a leading e-commerce platform used by hundreds of thousands of online retailers globally, from small businesses to large enterprises. Its flexibility and extensibility have made it a backbone of digital commerce, but also a frequent target for attackers seeking to exploit vulnerabilities for financial gain.
Technical Information
CVE-2025-54236 is a critical improper input validation vulnerability affecting the Web API ServiceInputProcessor component in Adobe Commerce and Magento. The vulnerability allows unauthenticated attackers to submit maliciously crafted API requests that bypass intended security controls. The root cause is insufficient sanitization and type validation of nested objects passed through REST, GraphQL, or SOAP API endpoints.
Attackers exploit this flaw by sending specially crafted payloads that the ServiceInputProcessor fails to properly validate. This enables the injection of unexpected parameter types or objects, which can trigger unintended code execution paths. The vulnerability is closely related to CWE-20 (Improper Input Validation) and is particularly dangerous because it does not require any user interaction or authentication.
Technical analysis from Sansec and other researchers indicates that exploitation is feasible on systems using file-based session storage, which is the default configuration for most Adobe Commerce and Magento installations. The emergency patch released by Adobe introduces stricter parameter type checks, allowing only recognized scalar types or API data objects and rejecting anything unexpected. This directly addresses the insufficient validation that enabled the vulnerability.
Affected Systems and Versions
The following Adobe Commerce and Magento versions are affected by CVE-2025-54236:
- Adobe Commerce 2.4.9-alpha2
- Adobe Commerce 2.4.8-p2
- Adobe Commerce 2.4.7-p7
- Adobe Commerce 2.4.6-p12
- Adobe Commerce 2.4.5-p14
- Adobe Commerce 2.4.4-p15
- All earlier versions
The vulnerability is exploitable on systems using file-based session storage, which is the default configuration for most installations.
Vendor Security History
Adobe has a history of addressing critical vulnerabilities in its Commerce (Magento) platform. Notable past issues include:
- Shoplift (2015)
- Ambionics SQLi (2019)
- TrojanOrder (2022)
- CosmicSting (2024)
Adobe typically releases quarterly security updates but has issued emergency patches for severe vulnerabilities, demonstrating a responsive approach to high-impact security issues. The vendor collaborates with security researchers and has shown willingness to break patch schedules when necessary.