CVE-2025-54236

critical KEV

Published 2025-09-09 · Modified 2025-10-24

CVSS v3

9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2

—

VIR risk

10.0

Description

Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.

CISA KEV

Vendor: Adobe
Product: Commerce and Magento
Due date: 2025-11-14

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54236

vendor Authored 2026-05-27

Vendor advisory: 134c704f-9b21-4f2e-91b3-4a467353bcc0 — https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397

vendor Authored 2026-05-27

Vendor advisory: psirt@adobe.com — https://helpx.adobe.com/security/products/magento/apsb25-88.html

Exploits

Package impact

Ecosystem	Package	Vulnerable
Packagist	magento/community-edition	`<=2.4.5-p14`
Packagist	magento/community-edition
Packagist	magento/community-edition	`>=2.4.6-p1,<=2.4.6-p12`
Packagist	magento/community-edition	`>=2.4.9-alpha1,<=2.4.9-alpha2`
Packagist	magento/community-edition	`>=2.4.7-beta1,<=2.4.7-p7`
Packagist	magento/community-edition	`>=2.4.8-beta1,<=2.4.8-p2`
Packagist	magento/project-community-edition	`<=2.0.2`

Application impact

Vendor	Product	Versions
adobe	commerce	`2.4.4`
adobe	commerce	`2.4.5`
adobe	commerce	`2.4.6`
adobe	commerce	`2.4.7`
adobe	commerce	`2.4.8`
adobe	commerce	`2.4.9`
adobe	commerce_b2b	`1.3.3`
adobe	commerce_b2b	`1.3.4`
adobe	commerce_b2b	`1.4.2`
adobe	commerce_b2b	`1.5.2`
adobe	commerce_b2b	`1.5.3`
adobe	magento	`2.4.5`
adobe	magento	`2.4.6`
adobe	magento	`2.4.7`
adobe	magento	`2.4.8`
adobe	magento	`2.4.9`

References

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.