Adobe Magento Improper Input Validation Vulnerability Exploited in Attack (CVE-2025-54236)

Security experts from e-commerce security firm Sansec have discovered that threat attackers are actively exploiting a vulnerability in Adobe Commerce and Magento Open-Source platforms.

Tracked as CVE-2025-54236, the vulnerability has a critical severity rating with a CVSS score of 9.1. The vulnerability originates from an improper input validation and could allow attackers to hijack customer accounts via the Commerce REST API.

Sansec reports that 62% of Magento stores have yet to apply the necessary fixes, exposing them to the vulnerability six weeks after public disclosure. Adobe has confirmed the active exploitation of the vulnerability in the wild.

The attacks stem from several IP addresses. Threat actors leverage the vulnerability to upload PHP webshells disguised as fake sessions through the /customer/address_file/upload endpoint or to gather PHP configuration details by probing phpinfo.

This vulnerability adds to the recent challenges Adobe Commerce and Magento faced. It follows another serious deserialization vulnerability, CosmicSting (CVE-2024-34102), which was widely exploited last year.

With proof-of-concept exploits now circulating publicly, store owners and administrators must implement the security patches promptly to prevent further compromise.

Affected versions

Mitigation

For more information, please refer to the Adobe Security Advisory (APSB25-88).

Qualys Detection

Qualys customers can scan their devices with QID 733319 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://helpx.adobe.com/security/products/magento/apsb25-88.html