10.09.2025
2 min
551
A critical vulnerability, CVE-2025-54236 (SessionReaper), with a CVSS rating of 9.1, has been discovered in Adobe Commerce products that could allow for the capture of customer accounts via the REST API.
Adobe said the flaw is related to improper input validation. While no exploits have been reported in the wild yet, a potential attacker could take full control of user accounts.
The vulnerability affects Adobe Commerce (2.4.9-alpha2 and earlier), Adobe Commerce B2B (1.5.3-alpha2 and earlier), Magento Open Source (2.4.9-alpha2 and earlier), and the Custom Attributes Serializable module (0.1.0–0.4.0).
The company has released a hotfix and enabled WAF rules to protect cloud environments.
Sansec experts have named SessionReaper one of the most serious Magento vulnerabilities in recent years, along with Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024). Researchers were able to reproduce the method of exploitation and suggest the presence of multiple attack vectors. The problem is related to unsafe sessions and deserialization in the API, which in some cases can even lead to remote code execution.
In addition, Adobe closed another critical hole — CVE–2025–54261 in ColdFusion (score 9.0), which allowed arbitrary file system writes.
SessionReaper confirms that vulnerabilities in large e-commerce platforms remain an attractive target for attackers. Adobe has quickly released a patch, but administrators and developers should immediately update their installations and check their settings, as even those using Redis or session databases remain at risk.
