Adobe has warned of a essential safety flaw in its Commerce and Magento Open Supply platforms that, if efficiently exploited, may permit attackers to take management of buyer accounts.
The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS rating of 9.1 out of a most of 10.0. It has been described as an improper enter validation flaw. Adobe mentioned it isn’t conscious of any exploits within the wild.
“A possible attacker may take over buyer accounts in Adobe Commerce by way of the Commerce REST API,” Adobe mentioned in an advisory issued right this moment.
The difficulty impacts the next merchandise and variations –
Adobe Commerce (all deployment strategies):
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
- 2.4.4-p15 and earlier
Adobe Commerce B2B:
- 1.5.3-alpha2 and earlier
- 1.5.2-p2 and earlier
- 1.4.2-p7 and earlier
- 1.3.4-p14 and earlier
- 1.3.3-p15 and earlier
Magento Open Supply:
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
Customized Attributes Serializable module:
Adobe, along with releasing a hotfix for the vulnerability, mentioned it has deployed internet utility firewall (WAF) guidelines to guard environments towards exploitation makes an attempt which will goal retailers utilizing Adobe Commerce on Cloud infrastructure.
“SessionReaper is without doubt one of the extra extreme Magento vulnerabilities in its historical past, similar to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),” e-commerce safety firm Sansec mentioned.
The Netherlands-based agency mentioned it efficiently reproduced one attainable approach to exploit CVE-2025-54236, however famous that there are different attainable avenues to weaponize the vulnerability.
“The vulnerability follows a well-recognized sample from final 12 months’s CosmicSting assault,” it added. “The assault combines a malicious session with a nested deserialization bug in Magento’s REST API.”
“The particular distant code execution vector seems to require file-based session storage. Nonetheless, we advocate retailers utilizing Redis or database periods to take instant motion as properly, as there are a number of methods to abuse this vulnerability.”
Adobe has additionally shipped fixes to include a essential path traversal vulnerability in ColdFusion (CVE-2025-54261, CVSS rating: 9.0) that would result in an arbitrary file system write. It impacts ColdFusion 2021 (Replace 21 and earlier), 2023 (Replace 15 and earlier), and 2025 (Replace 3 and earlier) on all platforms.
