Hi, anyone else getting a bunch of false positives for CVE-2025-54236 Adobe Commerce: Improper Input Validation?
I am getting these on assets that don’t have this software or even on assets that are incapable of having any software.
The proof of the vuln is horribly vague 'Received expected response for exploit’ - no actual detail is given. I opened a case with Rapid7 and I suggest anyone who gets this FP opens a case so that they take this seriously.
2 Likes
Yes. Getting this false positive on lots of HP ILO interfaces. Came here to check if anyone else had already seen the same.
The “proof” is appalling, it should never be allowed to have such a useless text entry as it defeats the entire point of having the proof data.
same in our company all flagged assets proof says “Received expected response for exploit”
checking the Adobe security bulletin it shows impacted products:
- Adobe Commerce
- Adobe Commerce B2B
- Magento Open Source