Detect Adobe Commerce / Magento Improper Input Validation (CVE-2025-54236) in Microsoft Sentinel
Detects exploitation of CVE-2025-54236, an improper input validation vulnerability in Adobe Commerce and Magento. This KEV-listed vulnerability allows attackers to submit maliciously crafted input to Commerce/Magento endpoints, potentially leading to remote code execution, unauthorized data access, or store compromise. Detection focuses on anomalous HTTP request patterns to Magento/Commerce endpoints, unexpected PHP execution, and indicators of post-exploitation activity.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence Impact
KQL Detection Query
let MagentoEndpoints = dynamic(['/rest/', '/api/', '/index.php/rest/', '/pub/index.php', '/graphql', '/downloader/', '/admin/']);
let SuspiciousPatterns = dynamic(['eval(', 'base64_decode', 'system(', 'exec(', 'passthru(', 'shell_exec', 'phpinfo', '<?php', 'assert(', 'preg_replace']);
union
(
W3CIISLog
| where csUriStem has_any (MagentoEndpoints)
| where csMethod in ('POST', 'PUT', 'PATCH')
| where scStatus in (200, 201, 500)
| where csUriQuery has_any (SuspiciousPatterns) or csBytes > 50000
| extend RequestPath = strcat(csUriStem, '?', csUriQuery)
),
(
AzureDiagnostics
| where Category == 'ApplicationGatewayAccessLog'
| where requestUri_s has_any (MagentoEndpoints)
| where httpMethod_s in ('POST', 'PUT', 'PATCH')
| where httpStatus_d in (200, 500)
| extend RequestPath = requestUri_s
),
(
CommonSecurityLog
| where DeviceVendor in ('Apache', 'nginx', 'F5', 'Imperva')
| where RequestURL has_any (MagentoEndpoints)
| where RequestMethod in ('POST', 'PUT', 'PATCH')
| extend RequestPath = RequestURL
)
| summarize RequestCount=count(), UniqueIPs=dcount(cIP), Paths=make_set(RequestPath, 20) by bin(TimeGenerated, 5m), cIP
| where RequestCount > 10 or UniqueIPs > 5
| extend AlertSeverity = iff(RequestCount > 50 or UniqueIPs > 20, 'Critical', 'High')
| project TimeGenerated, SourceIP=cIP, RequestCount, UniqueIPs, SuspiciousPaths=Paths, AlertSeverityDetects suspicious POST/PUT/PATCH requests to Adobe Commerce/Magento REST API, GraphQL, and admin endpoints that may indicate CVE-2025-54236 exploitation. Flags high-volume requests, oversized payloads, and requests with embedded code patterns.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate bulk API operations from integration partners or ERP systems sending large POST payloads
- Automated e-commerce workflows (order sync, inventory updates) triggering high request volumes
- Security scanners or penetration testing tools targeting the Magento application
- Load balancer health checks hitting REST endpoints repeatedly
Other platforms for CVE-2025-54236
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Magento REST API Malformed Input Fuzzing
Expected signal: Web server access logs should show POST requests to /rest/V1/products and /rest/V1/customers with large Content-Length values and HTTP 400/500 response codes
- Test 2PHP Web Shell Upload via Compromised Magento Admin
Expected signal: IIS/Apache logs showing POST to admin CMS endpoint; filesystem monitoring alerts on new .php file creation in pub/media/; process execution logs if PHP is evaluated
- Test 3Rapid Sequential API Endpoint Reconnaissance
Expected signal: Web server access logs showing rapid sequential POST requests to multiple /rest/V1/ endpoints from a single source IP within a short timeframe
Unlock Pro Content
Get the full detection package for CVE-2025-54236 including response playbook, investigation guide, and atomic red team tests.