Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Adobe has reported a critical bug (CVE-2025-54236) affecting the Commerce and Magento platforms. Researchers have called this vulnerability SessionReaper and describe it as one of the most serious in the history of these products.
This week, Adobe developers have already released a patch for the security bug, which received a CVSS score of 9.1. It is reported that the vulnerability can be exploited without authentication to take control of customer accounts via the Commerce REST API.
According to experts at cybersecurity firm Sansec, Adobe notified “select Commerce customers” of the upcoming fix on September 4, which was released on September 9.
Customers using Adobe Commerce on Cloud are already protected by a WAF rule implemented by Adobe as an interim security measure.
Neither Adobe nor Sansec is aware of cases where SessionReaper has been used in real-world attacks. However, Sansec reports thatthe initial hotfix for CVE-2025-54236 was leaked last week, meaning attackers had more time to create an exploit.
| Product | Version | Priority Rating | Platform |
|---|---|---|---|
| Adobe Commerce | 2.4.9-alpha2 and earlier2.4.8-p2 and earlier2.4.7-p7 and earlier2.4.6-p12 and earlier2.4.5-p14 and earlier2.4.4-p15 and earlier | 2 | All |
| Adobe Commerce B2B | 1.5.3-alpha2 and earlier1.5.2-p2 and earlier1.4.2-p7 and earlier1.3.4-p14 and earlier1.3.3-p15 and earlier | 2 | All |
| Magento Open Source | 2.4.9-alpha2 and earlier2.4.8-p2 and earlier2.4.7-p7 and earlier2.4.6-p12 and earlier2.4.5-p14 and earlier | 2 | All |
According to researchers, successful exploitation of the issue depends on storing session data in the file system (this is the default configuration used in most cases). Administrators are strongly advised to install the available patch as soon as possible. However, experts warn that the fix disables some internal Magento functions, which could cause issues in custom and external code.
Sansec experts predict that CVE-2025-54236 will be exploited in large-scale automated attacks. They note that this vulnerability is among the most serious in Magento’s history, along with CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift.
Similar issues have been exploited in the past to spoof sessions, escalate privileges, access internal services, and execute code.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
