[German]A critical vulnerability, CVE-2025-54236, has been found in Adobe Commerce software (formerly Magento). Adobe Commerce allows unauthenticated attackers to upload files and, ultimately, even take over accounts. The vulnerability has been assigned a CVSS 3.1 score of 9.1 (on a scale of 1 to 10) and is classified as critical.
Magento remains one of the most popular e-commerce solutions on the internet and is estimated to be used on more than 130,000 websites. It is also offered as an enterprise solution by Adobe under the name Adobe Commerce, which is automatically patched. The following tweet indicates that the critical vulnerability CVE-2025-54236 also exists in Adobe Commerce.
SearchLight Cyber has published an analysis of the vulnerability in the article Why nested deserialization is STILL harmful – Magento RCE (CVE-2025-54236). Bleeping Computer has covered the topic in this article, and The Hacker News has more information here.
