CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-54236

CVSS 9.1v3.1pub. 2025-09-09upd. 2026-05-12

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Adobe Commerce

    APP
    Adobe
    2.4.42.4.52.4.62.4.72.4.82.4.9
  • Adobe Commerce B2b

    APP
    Adobe
    1.3.31.3.41.4.21.5.21.5.3
  • Adobe Magento

    APP
    Adobe
    2.4.52.4.62.4.72.4.82.4.9

CISA KEV — detailsi

Vendori
Adobe
Producti
Commerce and Magento
Added to KEVi
October 24, 2025
Remediation deadline (US Federal)i
November 14, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 14 listopada 2025
CWE
References

Related vulnerabilities

CVE-2024-34102CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Krytyczna podatność XXE w Adobe Commerce umożliwiająca RCE

CVE-2022-24086CRITICAL9.8⚠ KEVten sam produkt

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input va...

CVE-2025-24434CRITICAL9.1PL ✓ten sam produkt

Adobe Commerce — Incorrect Authorization umożliwiające privilege escalation

CVE-2024-45115CRITICAL9.8PL ✓ten sam produkt

Adobe Commerce — nieprawidłowe uwierzytelnienie umożliwiające privilege escalation

CVE-2024-39397CRITICAL9.0PL ✓ten sam produkt

Adobe Commerce — RCE poprzez nieograniczony upload niebezpiecznych plików