Which SIEM platforms have a CVE-2025-54236 detection rule?

df00tech provides CVE-2025-54236 (Adobe Commerce / Magento Improper Input Validation (CVE-2025-54236)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Adobe Commerce / Magento Improper Input Validation (CVE-2025-54236) (CVE-2025-54236)?

Detecting Adobe Commerce / Magento Improper Input Validation (CVE-2025-54236) requires the following data sources: IIS Logs, Azure Application Gateway, WAF/Proxy Logs, CommonSecurityLog.

What severity and confidence is the CVE-2025-54236 detection?

The CVE-2025-54236 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2025-54236?

Common false positives for CVE-2025-54236 include: Legitimate bulk API operations from integration partners or ERP systems sending large POST payloads; Automated e-commerce workflows (order sync, inventory updates) triggering high request volumes; Security scanners or penetration testing tools targeting the Magento application.

CVE-2025-54236 Detection: Adobe Commerce / Magento Improper Input Validation (CVE-2025-54236) (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let MagentoEndpoints = dynamic(['/rest/', '/api/', '/index.php/rest/', '/pub/index.php', '/graphql', '/downloader/', '/admin/']);
let SuspiciousPatterns = dynamic(['eval(', 'base64_decode', 'system(', 'exec(', 'passthru(', 'shell_exec', 'phpinfo', '<?php', 'assert(', 'preg_replace']);
union
(
    W3CIISLog
    | where csUriStem has_any (MagentoEndpoints)
    | where csMethod in ('POST', 'PUT', 'PATCH')
    | where scStatus in (200, 201, 500)
    | where csUriQuery has_any (SuspiciousPatterns) or csBytes > 50000
    | extend RequestPath = strcat(csUriStem, '?', csUriQuery)
),
(
    AzureDiagnostics
    | where Category == 'ApplicationGatewayAccessLog'
    | where requestUri_s has_any (MagentoEndpoints)
    | where httpMethod_s in ('POST', 'PUT', 'PATCH')
    | where httpStatus_d in (200, 500)
    | extend RequestPath = requestUri_s
),
(
    CommonSecurityLog
    | where DeviceVendor in ('Apache', 'nginx', 'F5', 'Imperva')
    | where RequestURL has_any (MagentoEndpoints)
    | where RequestMethod in ('POST', 'PUT', 'PATCH')
    | extend RequestPath = RequestURL
)
| summarize RequestCount=count(), UniqueIPs=dcount(cIP), Paths=make_set(RequestPath, 20) by bin(TimeGenerated, 5m), cIP
| where RequestCount > 10 or UniqueIPs > 5
| extend AlertSeverity = iff(RequestCount > 50 or UniqueIPs > 20, 'Critical', 'High')
| project TimeGenerated, SourceIP=cIP, RequestCount, UniqueIPs, SuspiciousPaths=Paths, AlertSeverity

Detects suspicious POST/PUT/PATCH requests to Adobe Commerce/Magento REST API, GraphQL, and admin endpoints that may indicate CVE-2025-54236 exploitation. Flags high-volume requests, oversized payloads, and requests with embedded code patterns.

critical severity medium confidence

Data Sources

IIS Logs Azure Application Gateway WAF/Proxy Logs CommonSecurityLog

Required Tables

W3CIISLog AzureDiagnostics CommonSecurityLog

False Positives

Legitimate bulk API operations from integration partners or ERP systems sending large POST payloads
Automated e-commerce workflows (order sync, inventory updates) triggering high request volumes
Security scanners or penetration testing tools targeting the Magento application
Load balancer health checks hitting REST endpoints repeatedly

Splunk

spl

index=web OR index=iis OR index=apache OR index=nginx
(uri_path="*/rest/*" OR uri_path="*/graphql" OR uri_path="*/index.php/rest/*" OR uri_path="*/admin/*" OR uri_path="*/downloader/*")
(method="POST" OR method="PUT" OR method="PATCH")
| eval is_suspicious_payload=if(match(uri_query, "(eval\(|base64_decode|system\(|exec\(|passthru|shell_exec|phpinfo|\<\?php|assert\()"), 1, 0)
| eval is_large_payload=if(bytes_in > 50000, 1, 0)
| eval is_error_response=if(status=500 OR status=502 OR status=503, 1, 0)
| stats count AS request_count,
        dc(src_ip) AS unique_src_ips,
        dc(uri_path) AS unique_paths,
        sum(is_suspicious_payload) AS suspicious_payload_count,
        sum(is_large_payload) AS large_payload_count,
        sum(is_error_response) AS error_response_count,
        values(uri_path) AS paths,
        values(status) AS status_codes
        BY _time span=5m, src_ip
| where request_count > 5 OR suspicious_payload_count > 0 OR large_payload_count > 2
| eval risk_score=case(
    suspicious_payload_count > 0, 90,
    large_payload_count > 5 AND error_response_count > 2, 75,
    request_count > 50, 60,
    1=1, 40
  )
| eval severity=case(risk_score >= 80, "critical", risk_score >= 60, "high", risk_score >= 40, "medium", 1=1, "low")
| where risk_score >= 40
| sort - risk_score
| table _time, src_ip, request_count, unique_src_ips, suspicious_payload_count, large_payload_count, error_response_count, paths, status_codes, risk_score, severity

Splunk query detecting suspicious requests to Magento/Adobe Commerce endpoints indicative of CVE-2025-54236 exploitation. Scores requests based on payload characteristics, volume, and error responses.

critical severity medium confidence

Data Sources

Web Server Logs IIS Logs Apache/Nginx Access Logs WAF Logs

Required Sourcetypes

access_combined iis ms:iis:auto nginx:plus:kv pan:traffic

False Positives

Legitimate bulk API calls from POS systems or warehouse management integrations
Content migration tools sending large payloads to REST API endpoints
Automated testing frameworks running against staging/production Commerce instances
Search crawlers or price aggregators making repeated requests to product APIs

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=2m
  [network where event.category == "network" and
   http.request.method in ("POST", "PUT", "PATCH") and
   (
     url.path like~ "*/rest/*" or
     url.path like~ "*/graphql*" or
     url.path like~ "*/index.php/rest/*" or
     url.path like~ "*/admin/index.php*" or
     url.path like~ "*/downloader/*"
   ) and
   http.response.status_code in (200, 500, 403)
  ] with runs=3
  [process where event.category == "process" and
   event.type == "start" and
   process.parent.name in ("php", "php-fpm", "httpd", "nginx", "apache2") and
   process.name in ("sh", "bash", "cmd.exe", "powershell.exe", "wget", "curl", "python", "python3")
  ]

EQL sequence detection correlating repeated suspicious HTTP requests to Magento endpoints with subsequent child process spawning from web server processes, a strong indicator of successful RCE via CVE-2025-54236.

critical severity high confidence

Data Sources

Elastic Agent Auditbeat Packetbeat Winlogbeat

Required Tables

logs-* filebeat-* auditbeat-* packetbeat-*

False Positives

Magento cron jobs spawning shell processes through legitimate PHP execution
Deployment scripts that use curl/wget for extension downloads during maintenance windows
Admin-triggered import/export operations that invoke shell commands via PHP
Security monitoring agents running from web server context

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  URL,
  Method,
  "HTTP Response Code" AS response_code,
  "Bytes Sent" AS bytes_sent,
  COUNT(*) AS request_count
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft IIS', 'Apache HTTP Server', 'NGINX', 'F5 BIG-IP')
  AND (
    URL ILIKE '%/rest/%'
    OR URL ILIKE '%/graphql%'
    OR URL ILIKE '%/index.php/rest/%'
    OR URL ILIKE '%/admin/index.php%'
    OR URL ILIKE '%/downloader/%'
  )
  AND Method IN ('POST', 'PUT', 'PATCH')
  AND LAST 24 HOURS
GROUP BY
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm'),
  sourceip,
  destinationip,
  URL,
  Method,
  "HTTP Response Code",
  "Bytes Sent"
HAVING
  COUNT(*) > 5
  OR "Bytes Sent" > 50000
ORDER BY request_count DESC

QRadar AQL query identifying unusual POST/PUT/PATCH activity to Adobe Commerce and Magento endpoints, filtering for high-frequency or large-payload requests that may indicate CVE-2025-54236 exploitation.

high severity medium confidence

Data Sources

IIS Log Source Apache HTTP Server Nginx F5 BIG-IP

Required Tables

events

False Positives

Bulk product catalog imports via REST API from ERP integrations
High-volume order processing from B2B customers using API keys
Legitimate third-party Magento extensions making frequent API calls
Load testing performed against Commerce instances during off-hours maintenance

Sumo Logic CSE

sql

_sourceCategory=web/access OR _sourceCategory=iis OR _sourceCategory=apache
| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "\"(?<method>GET|POST|PUT|PATCH|DELETE)\s+(?<uri_path>[^\s]+)" nodrop
| parse regex "\s(?<status_code>\d{3})\s" nodrop
| parse regex "\s(?<bytes>\d+)$" nodrop
| where method in ("POST", "PUT", "PATCH")
| where uri_path matches "*/rest/*" or uri_path matches "*/graphql*" or uri_path matches "*/index.php/rest/*" or uri_path matches "*/admin/*" or uri_path matches "*/downloader/*"
| timeslice 5m
| count as request_count, pct(bytes, 95) as p95_bytes by _timeslice, src_ip, uri_path
| where request_count > 5 or p95_bytes > 50000
| sort by request_count desc
| fields _timeslice, src_ip, uri_path, request_count, p95_bytes

Sumo Logic query detecting high-frequency or large-payload POST/PUT/PATCH requests to Magento/Adobe Commerce API and admin endpoints, indicating potential exploitation of CVE-2025-54236.

high severity medium confidence

Data Sources

Web Server Access Logs IIS Logs Apache Access Logs

Required Tables

_sourceCategory=web/access _sourceCategory=iis

False Positives

API-driven catalog management tools uploading product images or bulk configurations
Magento marketplace extension auto-updaters making large POST requests
Payment gateway callbacks posting large transaction payloads to Commerce endpoints
CDN origin pull requests that appear as high-volume repeated requests from a single IP

Google Chronicle / SecOps

yaral

rule cve_2025_54236_adobe_commerce_input_validation {
  meta:
    author = "Argus Detection Platform"
    description = "Detects potential exploitation of CVE-2025-54236 in Adobe Commerce/Magento via suspicious API requests"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-54236"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.method = /POST|PUT|PATCH/
    (
      $e.network.http.target_url = /\/rest\// or
      $e.network.http.target_url = /\/graphql/ or
      $e.network.http.target_url = /\/index\.php\/rest\// or
      $e.network.http.target_url = /\/admin\/index\.php/ or
      $e.network.http.target_url = /\/downloader\//
    )
    (
      $e.network.http.response_code = 200 or
      $e.network.http.response_code = 500
    )
    $e.principal.ip = $src_ip

  match:
    $src_ip over 5m

  condition:
    #e > 10
}

Chronicle YARA-L rule detecting high-frequency POST/PUT/PATCH requests to Adobe Commerce and Magento API endpoints. Triggers when a single source IP makes more than 10 qualifying requests within a 5-minute window.

critical severity medium confidence

Data Sources

Web Proxy Logs HTTP Metadata Cloud Load Balancer Logs

Required Tables

network_http

False Positives

Automated order management systems sending bursts of API requests during peak hours
B2B customer portals with API integration making repeated authenticated calls
Monitoring and synthetic transaction tools probing Commerce API health endpoints
GraphQL clients with aggressive query batching or polling behaviors

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkReceiveAcceptIP4
| ProcessImageFileName = /(?i)(httpd|nginx|php|php-fpm|w3wp)\.exe?$/
| RemoteAddressIP4 = *
| LocalPort in (80, 443, 8080, 8443)
| join {
    #event_simpleName=ProcessRollup2
    | ImageFileName = /(?i)(httpd|nginx|php|php-fpm|w3wp)\.exe?$/
    | ChildImageFileName = /(?i)(sh|bash|cmd\.exe|powershell\.exe|wget|curl|python)\.?\d*$/
    | groupby([ComputerName, ParentProcessId, ChildProcessId, ChildImageFileName, CommandLine], function=count())
  } [ComputerName, ProcessId=ParentProcessId]
| eval risk=if(match(CommandLine, /(?i)(curl|wget|base64|python|nc |ncat|bash -i|powershell -enc)/), "critical", "high")
| sort -_count
| select ComputerName, ImageFileName, ChildImageFileName, CommandLine, RemoteAddressIP4, LocalPort, risk

CrowdStrike CQL detecting web server processes (Apache, nginx, PHP, IIS) spawning suspicious child processes such as shells, wget, curl, or interpreters — a strong post-exploitation signal following CVE-2025-54236 exploitation.

critical severity high confidence

Data Sources

CrowdStrike Falcon Sensor Process Telemetry Network Telemetry

Required Tables

ProcessRollup2 NetworkReceiveAcceptIP4

False Positives

Magento cron jobs legitimately invoking bash scripts for maintenance tasks
Composer package manager running curl for extension downloads during deployments
Custom Magento modules that use PHP exec() for legitimate image processing or PDF generation
DevOps automation scripts that run under the web server user context during deployments

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2025-54236 Adobe Commerce / Magento Improper Input Validation (CVE-2025-54236)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2025-54236

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox