Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Improper Input Validation in Adobe Commerce and Magento Open Source, Patch Immediately!
Image
Published : 10/09/2025
- Last update: 10/09/2025
- Affected software:
→ Adobe Commerce: <= 2.4.9-alpha2, <= 2.4.8-p2, <= 2.4.7-p7, <= 2.4.6-p12, <= 2.4.5-p14, <= 2.4.4-p15
→ Adobe Commerce B2B: <= 1.5.3-alpha2, <= 1.5.2-p2, <= 1.4.2-p7, <= 1.3.4-p14, <= 1.3.3-p15
→ Magento Open Source: <= 2.4.9-alpha2, <= 2.4.8-p2, <= 2.4.7-p7, <= 2.4.6-p12, <= 2.4.5-p14- Type: CWE-20: Improper Input Validation
- CVE/CVSS
→ CVE-2025-54236: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Sources
Adobe - https://helpx.adobe.com/security/products/magento/apsb25-88.html
Risks
Adobe Commerce and Magento Open Source are widely used e-commerce platforms for managing online stores. Exploiting CVE-2025-54236 could allow an unauthenticated attacker to bypass security features and take over user sessions, leading to unauthorized access to sensitive data and potential manipulation of transactions.
This significantly impacts the confidentiality and integrity of the platform.
Description
CVE-2025-54236 is an Improper Input Validation vulnerability (CWE-20) that allows an unauthenticated attacker to perform a security feature bypass leading to session takeover in Adobe Commerce and Magento Open Source. Successful exploitation does not require user interaction and can result in a high impact on confidentiality and integrity.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.