Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Crowdstrike 320×100
LECS 970x120 1
Critical vulnerability in Adobe Commerce and Magento: the SessionReaper bug

Critical vulnerability in Adobe Commerce and Magento: the SessionReaper bug

10 September 2025 18:44

Adobe has reported a critical bug (CVE-2025-54236) affecting the Commerce and Magento platforms. Researchers have called this vulnerability SessionReaper and describe it as one of the most serious in the history of these products.

This week, Adobe developers have already released a patch for the security bug, which received a CVSS score of 9.1. It is reported that the vulnerability can be exploited without authentication to take control of customer accounts via the Commerce REST API.

According to experts at cybersecurity firm Sansec, Adobe notified “select Commerce customers” of the upcoming fix on September 4, which was released on September 9.

Customers using Adobe Commerce on Cloud are already protected by a WAF rule implemented by Adobe as an interim security measure.

Neither Adobe nor Sansec is aware of cases where SessionReaper has been used in real-world attacks. However, Sansec reports thatthe initial hotfix for CVE-2025-54236 was leaked last week, meaning attackers had more time to create an exploit.

ProductVersionPriority RatingPlatform
 Adobe Commerce2.4.9-alpha2 and earlier2.4.8-p2 and earlier2.4.7-p7 and earlier2.4.6-p12 and earlier2.4.5-p14 and earlier2.4.4-p15 and earlier2All
Adobe Commerce B2B1.5.3-alpha2 and earlier1.5.2-p2 and earlier1.4.2-p7 and earlier1.3.4-p14 and earlier1.3.3-p15 and earlier2All
Magento Open Source2.4.9-alpha2 and earlier2.4.8-p2 and earlier2.4.7-p7 and earlier2.4.6-p12 and earlier2.4.5-p14 and earlier2All

According to researchers, successful exploitation of the issue depends on storing session data in the file system (this is the default configuration used in most cases). Administrators are strongly advised to install the available patch as soon as possible. However, experts warn that the fix disables some internal Magento functions, which could cause issues in custom and external code.

Sansec experts predict that CVE-2025-54236 will be exploited in large-scale automated attacks. They note that this vulnerability is among the most serious in Magento’s history, along with CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift.

Similar issues have been exploited in the past to spoof sessions, escalate privileges, access internal services, and execute code.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Immagine del sito
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.