CVE•Published 2025-09-09•Modified 2026-05-11•1 article on news•7 live references•NVD data
CVE-2025-54236Adobe · Commerce
Vulnerability data via NVD (ingested)
CVSS v3.1
9.1
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS percentile
98
Exploit Prediction Scoring System · top 2% of all CVEs
Weaknesses (CWE)
Description
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
Timeline
Published 2025-09-09
Modified 2026-05-11
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
Shodan · vuln tag0 hosts
vuln:CVE-2025-54236Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product + version
product:"Adobe Commerce" version:"2.4.4"Version-pinned fingerprint from NVD's first vulnerable CPE.
Shodan · banner/body mention
http.html:"Commerce"HTTP body or banner mentions "Commerce" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2025-54236Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2025-54236Censys host search filtered to this CVE id.
grep.app
CVE-2025-54236Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2025-54236GitHub code search for direct mentions.
Google dork
"CVE-2025-54236" exploit -site:nvd.nist.govWrite-ups and news, NVD excluded.
Known PoCs on GitHub (8)
CVE-2025-542368 repos
tylzars/awesome-vrre-writeupsunknown
A collection of Vulnerability Research and Reverse Engineering writeups.
AquiveMedia/magento2-disable-customer-upload-controllerPHP
olivertar/m2_sessionreaperPHP
DeployEcommerce/module-prevent-customer-address-file-uploadPHP
A Magento2 extension that prevents file uploads to the /customer/address_file/upload endpoint.
shuaiZend/magescanGo
A high-performance, read-only security scanner for Magento 2 that detects web shells, payment skimmers, obfuscated malware, and database injections
SamJUK/m2-meta-security-patchesShell
Composer meta-package that automatically applies all critical and isolated security patches for Magento released by Adobe
wubinworks/magento2-session-reaper-patchPHP
Patch for CVE-2025-54236(a.k.a Session Reaper) which allows customer account takeover and RCE under certain conditions. This patch is actually a Magento 2 extension and universal c…
Baba01hacker666/gemini-redteamunknown
Red team gemini skills and plugins