Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Critical vulnerability in Adobe Commerce and Magento: the SessionReaper bug

Redazione RHC : 10 September 2025 18:44

Adobe has reported a critical bug (CVE-2025-54236) affecting the Commerce and Magento platforms. Researchers have called this vulnerability SessionReaper and describe it as one of the most serious in the history of these products.

This week, Adobe developers have already released a patch for the security bug, which received a CVSS score of 9.1. It is reported that the vulnerability can be exploited without authentication to take control of customer accounts via the Commerce REST API.

According to experts at cybersecurity firm Sansec, Adobe notified “select Commerce customers” of the upcoming fix on September 4, which was released on September 9.

Customers using Adobe Commerce on Cloud are already protected by a WAF rule implemented by Adobe as an interim security measure.

Neither Adobe nor Sansec is aware of cases where SessionReaper has been used in real-world attacks. However, Sansec reports thatthe initial hotfix for CVE-2025-54236 was leaked last week, meaning attackers had more time to create an exploit.

ProductVersionPriority RatingPlatform
 Adobe Commerce2.4.9-alpha2 and earlier2.4.8-p2 and earlier2.4.7-p7 and earlier2.4.6-p12 and earlier2.4.5-p14 and earlier2.4.4-p15 and earlier2All
Adobe Commerce B2B1.5.3-alpha2 and earlier1.5.2-p2 and earlier1.4.2-p7 and earlier1.3.4-p14 and earlier1.3.3-p15 and earlier2All
Magento Open Source2.4.9-alpha2 and earlier2.4.8-p2 and earlier2.4.7-p7 and earlier2.4.6-p12 and earlier2.4.5-p14 and earlier2All

According to researchers, successful exploitation of the issue depends on storing session data in the file system (this is the default configuration used in most cases). Administrators are strongly advised to install the available patch as soon as possible. However, experts warn that the fix disables some internal Magento functions, which could cause issues in custom and external code.

Sansec experts predict that CVE-2025-54236 will be exploited in large-scale automated attacks. They note that this vulnerability is among the most serious in Magento’s history, along with CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift.

Similar issues have been exploited in the past to spoof sessions, escalate privileges, access internal services, and execute code.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli