Detect Adobe Commerce / Magento Improper Input Validation (CVE-2025-54236) in Google Chronicle
Detects exploitation of CVE-2025-54236, an improper input validation vulnerability in Adobe Commerce and Magento. This KEV-listed vulnerability allows attackers to submit maliciously crafted input to Commerce/Magento endpoints, potentially leading to remote code execution, unauthorized data access, or store compromise. Detection focuses on anomalous HTTP request patterns to Magento/Commerce endpoints, unexpected PHP execution, and indicators of post-exploitation activity.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence Impact
YARA-L Detection Query
rule cve_2025_54236_adobe_commerce_input_validation {
meta:
author = "Argus Detection Platform"
description = "Detects potential exploitation of CVE-2025-54236 in Adobe Commerce/Magento via suspicious API requests"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-54236"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.method = /POST|PUT|PATCH/
(
$e.network.http.target_url = /\/rest\// or
$e.network.http.target_url = /\/graphql/ or
$e.network.http.target_url = /\/index\.php\/rest\// or
$e.network.http.target_url = /\/admin\/index\.php/ or
$e.network.http.target_url = /\/downloader\//
)
(
$e.network.http.response_code = 200 or
$e.network.http.response_code = 500
)
$e.principal.ip = $src_ip
match:
$src_ip over 5m
condition:
#e > 10
}Chronicle YARA-L rule detecting high-frequency POST/PUT/PATCH requests to Adobe Commerce and Magento API endpoints. Triggers when a single source IP makes more than 10 qualifying requests within a 5-minute window.
Data Sources
Required Tables
False Positives & Tuning
- Automated order management systems sending bursts of API requests during peak hours
- B2B customer portals with API integration making repeated authenticated calls
- Monitoring and synthetic transaction tools probing Commerce API health endpoints
- GraphQL clients with aggressive query batching or polling behaviors
Other platforms for CVE-2025-54236
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Magento REST API Malformed Input Fuzzing
Expected signal: Web server access logs should show POST requests to /rest/V1/products and /rest/V1/customers with large Content-Length values and HTTP 400/500 response codes
- Test 2PHP Web Shell Upload via Compromised Magento Admin
Expected signal: IIS/Apache logs showing POST to admin CMS endpoint; filesystem monitoring alerts on new .php file creation in pub/media/; process execution logs if PHP is evaluated
- Test 3Rapid Sequential API Endpoint Reconnaissance
Expected signal: Web server access logs showing rapid sequential POST requests to multiple /rest/V1/ endpoints from a single source IP within a short timeframe
Unlock Pro Content
Get the full detection package for CVE-2025-54236 including response playbook, investigation guide, and atomic red team tests.