Adobe is warning of a vital vulnerability (CVE-2025-54236) in its Commerce and Magento Open Supply platforms that researchers name SessionReaper and describe as certainly one of ” probably the most extreme” flaws within the historical past of the product.
Right now, the software program firm launched a patch for the safety difficulty that might be exploited with out authentication to take management of buyer accounts by the Commerce REST API.
In response to e-commerce safety firm Sansec, Adobe notified “chosen Commerce clients” on September 4th of an upcoming emergency repair deliberate for September 9.
“Adobe is planning to launch a safety replace for Adobe Commerce and Magento Open Supply on Tuesday, September 9, 2025,” reads the discover.
“This replace resolves a vital vulnerability. Profitable exploitation may result in safety characteristic bypass.”
Prospects utilizing Adobe Commerce on Cloud are already protected by an online utility firewall (WAF) rule deployed by Adobe as an intermediate measure.
Supply: Sansec
Adobe says within the safety bulletin that it’s not conscious of any exploitation exercise within the wild. Sansec’s advisory additionally notes that the researchers haven’t seen any energetic exploitation of SessionReaper.
Nonetheless, Sansec says that an preliminary hotfix for CVE-2025-54236 was leaked final week, which can give risk actors a possible head begin on creating an exploit.
In response to the researchers, profitable exploitation “seems” to depend upon storing session knowledge on the file system, a default configuration that almost all shops use.
Directors are strongly really helpful to check and deploy the out there patch (direct obtain, ZIP archive) instantly. The researchers warn that the repair disables inner Magento performance that might result in some customized or exterior code breaking.
To this finish, Adobe up to date its documentation for adjustments within the Adobe Commerce REST API constructor parameter injection.
“Please apply the hotfix as quickly as doable. For those who fail to take action, you can be susceptible to this safety difficulty, and Adobe could have restricted means to assist remediate” – Adobe
Sansec researchers count on CVE-2025-54236 to be abused by way of automation, at scale. They observe that the vulnerability is among the many most extreme Magento vulnerabilities within the historical past of the platform, alongside CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift.
Comparable points previously have been leveraged for session forging, privilege escalation, inner service entry, and code execution.
The safety agency was capable of reproduce the SessionReaper exploit however didn’t disclose the code or technical particulars, saying solely that “the vulnerability follows a well-known sample from final 12 months’s CosmicSting assault.”
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
