CVE-2025-22386 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting Optimizely Configured Commerce versions prior to 5.2.2408. The vulnerability resides in the Commerce B2B application’s session management system, where session tokens remain valid even after a user logs out. This improper session invalidation allows an attacker who obtains or intercepts such tokens to reuse them to impersonate the logged-out user, thereby gaining unauthorized access to sensitive storefront functions. The CVSS 3.1 base score of 7.3 reflects the network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R), with high impact on confidentiality and integrity (C:H/I:H) but no impact on availability (A:N). The vulnerability does not require elevated privileges beyond those of a logged-in user but does require user interaction, such as tricking a user into logging out or session token exposure. No public exploits have been reported yet, but the risk remains significant due to the potential for session hijacking and unauthorized transactions or data access. The lack of a patch link indicates that a fix may be pending or not yet publicly released. This vulnerability highlights the critical need for robust session management controls in web commerce platforms to prevent session reuse after logout.

The primary impact of CVE-2025-22386 is unauthorized access to user accounts within the Optimizely Configured Commerce B2B storefront environment. Attackers can exploit lingering session tokens to impersonate users who have logged out, potentially accessing sensitive business data, performing unauthorized transactions, or manipulating storefront configurations. This compromises confidentiality and integrity of user sessions and data. Although availability is not affected, the breach of session security can lead to financial losses, reputational damage, and regulatory compliance issues for organizations. The vulnerability is particularly concerning for enterprises relying on Optimizely for B2B commerce, as attackers could leverage this flaw to escalate privileges or move laterally within the network. Given the network-based attack vector and low complexity, exploitation could be automated or integrated into phishing campaigns, increasing the risk of widespread compromise if unmitigated.

Organizations should immediately review their use of Optimizely Configured Commerce and plan to upgrade to version 5.2.2408 or later once available. In the absence of an official patch, implement compensating controls such as enforcing shorter session timeouts, invalidating sessions server-side upon logout, and monitoring for unusual session reuse patterns. Employ multi-factor authentication (MFA) to reduce the impact of stolen session tokens. Additionally, ensure secure transmission of session tokens using HTTPS with secure and HttpOnly cookie flags. Conduct regular security audits and penetration testing focused on session management. Educate users about phishing risks and encourage prompt reporting of suspicious activity. Network segmentation and strict access controls can limit the scope of potential exploitation. Finally, stay informed on vendor advisories for official patches or updates.