Detect Adobe Commerce / Magento Improper Input Validation (CVE-2025-54236) in Splunk
Detects exploitation of CVE-2025-54236, an improper input validation vulnerability in Adobe Commerce and Magento. This KEV-listed vulnerability allows attackers to submit maliciously crafted input to Commerce/Magento endpoints, potentially leading to remote code execution, unauthorized data access, or store compromise. Detection focuses on anomalous HTTP request patterns to Magento/Commerce endpoints, unexpected PHP execution, and indicators of post-exploitation activity.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence Impact
SPL Detection Query
index=web OR index=iis OR index=apache OR index=nginx
(uri_path="*/rest/*" OR uri_path="*/graphql" OR uri_path="*/index.php/rest/*" OR uri_path="*/admin/*" OR uri_path="*/downloader/*")
(method="POST" OR method="PUT" OR method="PATCH")
| eval is_suspicious_payload=if(match(uri_query, "(eval\(|base64_decode|system\(|exec\(|passthru|shell_exec|phpinfo|\<\?php|assert\()"), 1, 0)
| eval is_large_payload=if(bytes_in > 50000, 1, 0)
| eval is_error_response=if(status=500 OR status=502 OR status=503, 1, 0)
| stats count AS request_count,
dc(src_ip) AS unique_src_ips,
dc(uri_path) AS unique_paths,
sum(is_suspicious_payload) AS suspicious_payload_count,
sum(is_large_payload) AS large_payload_count,
sum(is_error_response) AS error_response_count,
values(uri_path) AS paths,
values(status) AS status_codes
BY _time span=5m, src_ip
| where request_count > 5 OR suspicious_payload_count > 0 OR large_payload_count > 2
| eval risk_score=case(
suspicious_payload_count > 0, 90,
large_payload_count > 5 AND error_response_count > 2, 75,
request_count > 50, 60,
1=1, 40
)
| eval severity=case(risk_score >= 80, "critical", risk_score >= 60, "high", risk_score >= 40, "medium", 1=1, "low")
| where risk_score >= 40
| sort - risk_score
| table _time, src_ip, request_count, unique_src_ips, suspicious_payload_count, large_payload_count, error_response_count, paths, status_codes, risk_score, severitySplunk query detecting suspicious requests to Magento/Adobe Commerce endpoints indicative of CVE-2025-54236 exploitation. Scores requests based on payload characteristics, volume, and error responses.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate bulk API calls from POS systems or warehouse management integrations
- Content migration tools sending large payloads to REST API endpoints
- Automated testing frameworks running against staging/production Commerce instances
- Search crawlers or price aggregators making repeated requests to product APIs
Other platforms for CVE-2025-54236
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Magento REST API Malformed Input Fuzzing
Expected signal: Web server access logs should show POST requests to /rest/V1/products and /rest/V1/customers with large Content-Length values and HTTP 400/500 response codes
- Test 2PHP Web Shell Upload via Compromised Magento Admin
Expected signal: IIS/Apache logs showing POST to admin CMS endpoint; filesystem monitoring alerts on new .php file creation in pub/media/; process execution logs if PHP is evaluated
- Test 3Rapid Sequential API Endpoint Reconnaissance
Expected signal: Web server access logs showing rapid sequential POST requests to multiple /rest/V1/ endpoints from a single source IP within a short timeframe
Unlock Pro Content
Get the full detection package for CVE-2025-54236 including response playbook, investigation guide, and atomic red team tests.