CISA KEV Adds Critical Flaws: Magento Input Validation and WSUS Deserialization

CISA has added two high‑risk entries to its Known Exploited Vulnerabilities (KEV) Catalog, naming CVE‑2025‑54236 — an Improper Input Validation flaw in Adobe Commerce and Magento — and CVE‑2025‑59287 — a Deserialization of Untrusted Data vulnerability in Microsoft’s Windows Server Update Service (WSUS). Both defects carry critical severity and practical exploitability characteristics that place them squarely in the category of vulnerabilities federal agencies are required to prioritize under Binding Operational Directive (BOD) 22‑01. The additions underscore immediate remediation priorities for enterprise defenders: patch or mitigate quickly, hunt for indicators of compromise, and harden detection and segmentation controls to contain possible weaponization.

Background​

What the KEV Catalog and BOD 22‑01 mean for organizations​

The Known Exploited Vulnerabilities Catalog is CISA’s curated list of CVEs for which there is credible evidence of active exploitation. Under BOD 22‑01, Federal Civilian Executive Branch (FCEB) agencies must remediate KEV‑listed vulnerabilities by the due dates specified by CISA. The directive established a framework to prioritize fixes for vulnerabilities with verified active exploitation and to reduce immediate risk to federal networks. Although BOD 22‑01 is targeted at FCEB agencies, the KEV Catalog is treated as a de‑facto priority playbook for private sector organizations and managed service providers that share infrastructure with government customers.

Why these two additions matter now​

Both vulnerabilities represent classic and frequently exploited patterns: improper input validation in a web application stack and unsafe deserialization in a critical infrastructure component. Each allows remote attackers to impact confidentiality and integrity at scale, and — in the case of WSUS — may permit unauthenticated remote code execution in servers that often run with elevated privileges. The combination of wide exposure, easy exploitability, and presence in trusted infrastructure makes these two additions significant for enterprise defenders and incident response teams.

---

CVE‑2025‑54236 — Adobe Commerce / Magento: Improper Input Validation​

The technical picture​

CVE‑2025‑54236 affects Adobe Commerce and Magento Open Source implementations that expose the Commerce REST API. The vulnerability is an improper input validation issue in the Web API’s input processing (ServiceInputProcessor) that can enable session takeover without requiring user interaction. Reported severity ratings place the flaw in the critical to high‑critical range (commonly reported CVSS scores around 9.1), driven by network‑accessible attack vector, no required privileges, and high confidentiality/integrity impact.
Affected builds span multiple 2.4.x patch releases; Adobe published a hotfix series addressing the problem and provided mitigation guidance for hosted customers (including WAF protections for Commerce Cloud). The vendor flagged that exploitation can result in session hijack, account takeover, and deployment of webshells or other persistence mechanisms aimed at data theft or further lateral movement.

Evidence of active exploitation and operational impact​

Security vendors and incident telemetry reported active exploitation campaigns leveraging this flaw against publicly reachable Magento installations. Observed behaviors in attacks include automated scanning of Magento endpoints, dropping of PHP webshells, and attempts to pivot to payment and order systems. Some third‑party monitoring firms reported several hundred exploitation attempts in short timeframes against unpatched stores — an operationally meaningful signal that the vulnerability was being weaponized in the wild.
Note: counts of observed attacks originate from security researchers and commercial telemetry platforms; these numbers vary across sources and should be treated as indicative rather than definitive.

Mitigation and remediation​

Immediate actions for affected Adobe Commerce / Magento environments:

• Apply the vendor hotfix or patch (the priority hotfix series released by Adobe) to all affected installations as soon as possible.
• If using Adobe Commerce on Cloud, ensure WAF rules provided by the vendor remain active and review WAF logs for blocked attempts.
• Revoke and rotate session tokens and API keys where feasible; force logouts of administrative and customer sessions as a precaution.
• Scan for and eradicate webshells, unauthorized PHP files, modified cron tasks, and suspicious uploads. Focus on the Magento root and media/var directories where attackers typically drop artefacts.
• Harden access to admin endpoints by restricting access by IP, enforcing strong MFA for administrative accounts, and limiting public exposure of management interfaces.
• Deploy tuned IDS/IPS and EDR hunting rules to detect suspicious PHP execution, anomalous outgoing traffic from web servers, and indicators of privilege escalation.

Detection and hunting indicators​

Hunt and detection teams should prioritize these signals:

• Unusual HTTP POST requests to REST API endpoints or ServiceInputProcessor paths with anomalous payloads.
• Suspicious new PHP files, particularly under var/, pub/ or app/ directories, or files with names mimicking legitimate Magento components.
• Unexpected process spawns from the web server user (e.g., php accessing shell utilities), encoded payloads, or base64‑encoded/php‑eval patterns in posted data.
• Sudden creation of admin users or modification of admin roles.
• Unauthorized changes to payment or order records and sudden bursts of high‑volume outbound connections to unfamiliar IPs.

---

CVE‑2025‑59287 — WSUS: Deserialization of Untrusted Data​

The technical picture​

CVE‑2025‑59287 is a critical deserialization vulnerability in Windows Server Update Service (WSUS) that allows an unauthenticated remote attacker to trigger unsafe deserialization of data and achieve remote code execution. The problem stems from legacy deserialization pathways that accept decrypted AuthorizationCookie payloads and pass them directly to unsafe serializers (notably .NET’s BinaryFormatter) without sufficient type or content validation.
Because WSUS typically runs as a privileged service and listens on network ports used for software update delivery (commonly 8530/8531), successful exploitation can yield full system compromise on servers that host the WSUS role. Reported severity ratings cluster at the highest end (CVSS scores reported near 9.8), reflecting the remote unauthenticated attack vector and potential for high impact.

Why WSUS is a high‑risk target​

WSUS is widely deployed across enterprise Windows estates to centrally manage updates and distribute patches. Its privileged role and pervasive network reach make it an attractive island for attackers: compromise of a WSUS server can be escalated to a foothold with enterprise‑level access, given the server’s permissions and trust relationships with client endpoints. The unsafe deserialization pattern is historically prone to remote code execution in .NET apps when BinaryFormatter or similar serializers are misused.
At disclosure, public reporting indicated the existence of proof‑of‑concept (PoC) exploit code. Microsoft classified the flaw with a high exploitability potential and included fixes as part of an emergency patch cycle. Advisories recommended immediate patching and offered mitigation options for administrators who cannot patch immediately.

Mitigation and remediation​

Recommended immediate steps for organizations with WSUS servers:

• Apply Microsoft’s security update for CVE‑2025‑59287 on WSUS hosts without delay.
• Where immediate patching is not possible, consider temporarily disabling the WSUS role or isolating the WSUS server from untrusted networks. Note that disabling WSUS halts centralized updating and requires compensating controls to keep clients patched.
• Block inbound traffic on WSUS listening ports (typically TCP 8530 and 8531) at the firewall until patches can be applied.
• Restrict administrative access to WSUS servers and ensure they are placed on segmented management networks with strict access controls.
• Verify WSUS configuration integrity and inspect for signs of post‑exploit activity: new scheduled tasks, unexpected services, or unusual system binaries.
• If a public PoC is circulating in your environment, treat the server as at‑risk and accelerate containment and forensics.

Detection and hunting indicators​

Key checks and telemetry to prioritize:

• Web server logs showing unauthenticated POSTs targeting WSUS endpoints with unusual AuthorizationCookie payloads.
• Unexpected process creation (cmd, powershell) or w3wp.exe spawning child processes.
• New or modified DLLs, executables, or unexpected services installed near the timeframe of suspicious traffic.
• Abnormal outgoing connections from the WSUS host to unknown destinations, particularly on uncommon high‑risk ports.
• EDR alerts for suspicious deserialization patterns, process injection, or anomalous binary execution from IIS/WSUS processes.

---

What this means for federal and enterprise defenders​

Risk assessment: breadth and severity​

• Adobe Commerce / Magento vulnerability impacts externally facing web applications processing customer accounts and payments. Many e‑commerce instances are managed by third parties or hosted on mixed‑trust infrastructure, increasing the risk of partial or delayed remediation.
• WSUS vulnerability impacts internal update infrastructure that often runs with high privileges and long uptime. A wormable or widely automated RCE in WSUS could have cascading effects across an enterprise if not contained.
• Both flaws are in high‑value targets: e‑commerce platforms and update infrastructure. Attackers typically favor these targets due to direct monetary benefit or broad lateral‑movement potential.

Operational challenges​

• Patching heterogenous environments takes time and is complicated by custom integrations, third‑party plugins (Magento extensions), and maintenance windows.
• WSUS sits at a junction point where patching it may be operationally disruptive. Administrators must balance rapid remediation against the need to maintain update delivery to endpoints.
• Vendors’ hotfixes and patches occasionally require configuration changes or testing to avoid breaking integrations; that testing window is when organizations are most exposed.

---

Prioritized remediation playbook (for immediate operational use)​

• Inventory: Identify all systems running Adobe Commerce, Magento, and WSUS. Include cloud‑hosted, managed, and vendor‑provided instances.
• Patch: Apply vendor hotfixes and Microsoft updates to listed systems as first priority.
• Isolate: For WSUS systems awaiting patch, block inbound 8530/8531 and limit management network access. For Magento, restrict admin endpoints by IP and enforce MFA.
• Revoke and rotate: In Commerce environments, invalidate sessions and rotate API keys and tokens. Revoke any credentials that may have been exposed.
• Hunt: Run targeted detection hunts for the indicators listed above. Prioritize webshell searches and suspicious POSTs to API paths.
• Forensics: If evidence of compromise is found, preserve volatile logs, capture memory if possible, and snapshot affected VMs before remediation actions that could destroy evidence.
• Remediate: Remove webshells, rollback unauthorized changes, and rebuild compromised hosts when integrity cannot be firmly established.
• Validate: Confirm patch application, scan with up‑to‑date signatures, and validate WAF and firewall rule coverage.
• Report: For federal entities, follow BOD reporting and remediation compliance requirements. For private entities serving federal customers, coordinate disclosures as contractual obligations require.
• Post‑incident hardening: Apply code‑level mitigations (e.g., remove BinaryFormatter usage), tighten CI/CD, and enable runtime protections and EDR across endpoints.

---

Detection recipes and SIEM queries (examples)​

• Web server logs (IIS / Apache / nginx): search for high‑volume POSTs to REST API endpoints or strings containing base64 payloads, atypical content types, or unusually long request bodies.
• IIS logs: look for POST to ClientWebService.asmx or similar WSUS endpoints with unknown AuthorizationCookie values.
• EDR / process telemetry: alert on w3wp.exe (IIS worker process) spawning cmd.exe, powershell.exe, or regsvr32.exe.
• File integrity checks: detect new files in Magento directories and hashed changes to known templates or vendor files.
• Network telemetry: spikes in outbound connections from web or WSUS hosts within minutes of suspicious inbound activity.

(Implement detection use cases tailored to the specific observability coverage of each environment.)

---

Long‑term lessons and recommended hardening​

• Eliminate unsafe serializers: Decommission BinaryFormatter and other unsafe deserializers in favor of safe, whitelist‑based serialization frameworks. Enforce validation of deserialized types wherever deserialization is unavoidable.
• Harden API input validation: Adopt strict schema‑based validation for APIs and implement reject‑by‑default logic for unexpected fields and data types.
• Increase use of runtime protections: Deploy WAFs with tuned rulesets, constrain web server permissions to the least privilege, and enable host‑based runtime mitigations (ASLR, DEP).
• Improve patch orchestration: Invest in automated patch orchestration and test harnesses to reduce the friction between emergency patches and operational constraints.
• Tighten segmentation: Isolate critical infrastructure such as WSUS behind management networks and jump hosts. Reduce cross‑trust between web applications and payment systems.
• Enhance third‑party governance: Treat e‑commerce plugins and extensions as first‑class security assets. Require vendors and integrators to maintain timely patching and to notify customers upon security advisories.

---

Risks, caveats, and unverifiable claims​

• Observed exploit volumes and campaign attributions are supplied by external security vendors and telemetry aggregators; numbers reported publicly vary and may be revised. Treat specific attack counts as indicative, not definitive.
• Public proof‑of‑concept code for the WSUS flaw was reported in some security circles — presence of a PoC raises exploitability risk but does not guarantee widespread weaponization. Organizations should assume rapid exploitation is possible and act accordingly.
• Some mitigation steps (for example, disabling WSUS) may be operationally disruptive and require compensatory controls; any such measure should be coordinated with change and endpoint management teams to avoid creating new risks.

---

Conclusion​

The addition of CVE‑2025‑54236 and CVE‑2025‑59287 to CISA’s KEV Catalog is a clear operational mandate: these are exploitable, high‑impact flaws that demand prioritized action. Adobe Commerce / Magento customers must treat session‑hijack paths in exposed web APIs as emergency fixes, while organizations running WSUS should assume that unpatched servers present an immediate remote‑code‑execution hazard. The practical defense posture is straightforward yet nontrivial: inventory fast, patch faster, isolate where needed, and hunt aggressively for signs of compromise.
Beyond emergency triage, these events reinforce a persistent security truth — critical infrastructure and customer‑facing services remain the highest‑value targets for attackers. Reducing attack surface, eliminating unsafe serialization patterns, enforcing strict input validation, and automating patching and detection workflows are not optional. They are the most durable investments an organization can make to reduce the likelihood that the next KEV addition will become an emergency.

---

Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA