Adobe is warning of a vital vulnerability (CVE-2025-54236) in its Commerce and Magento Open Supply platforms that researchers name SessionReaper and describe as one in all ” probably the most extreme” flaws within the historical past of the product.
At present, the software program firm launched a patch for the security challenge that could possibly be exploited with out authentication to take management of buyer accounts by the Commerce REST API.
In response to e-commerce security firm Sansec, Adobe notified “chosen Commerce clients” on September 4th of an upcoming emergency repair deliberate for September 9.
“Adobe is planning to launch a security replace for Adobe Commerce and Magento Open Supply on Tuesday, September 9, 2025,” reads the discover.
“This replace resolves a vital vulnerability. Profitable exploitation may result in security characteristic bypass.”
Prospects utilizing Adobe Commerce on Cloud are already protected by an online software firewall (WAF) rule deployed by Adobe as an intermediate measure.
Supply: Sansec
Adobe says within the security bulletin that it’s not conscious of any exploitation exercise within the wild. Sansec’s advisory additionally notes that the researchers haven’t seen any energetic exploitation of SessionReaper.
Nonetheless, Sansec says that an preliminary hotfix for CVE-2025-54236 was leaked final week, which can give menace actors a possible head begin on creating an exploit.
In response to the researchers, profitable exploitation “seems” to depend upon storing session information on the file system, a default configuration that the majority shops use.
Directors are strongly advisable to check and deploy the accessible patch (direct obtain, ZIP archive) instantly. The researchers warn that the repair disables inside Magento performance that might result in some customized or exterior code breaking.
To this finish, Adobe up to date its documentation for modifications within the Adobe Commerce REST API constructor parameter injection.
“Please apply the hotfix as quickly as attainable. In case you fail to take action, you may be susceptible to this security challenge, and Adobe can have restricted means to assist remediate” – Adobe
Sansec researchers count on CVE-2025-54236 to be abused through automation, at scale. They notice that the vulnerability is among the many most extreme Magento vulnerabilities within the historical past of the platform, alongside CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift.
Comparable points previously had been leveraged for session forging, privilege escalation, inside service entry, and code execution.
The security agency was in a position to reproduce the SessionReaper exploit however didn’t disclose the code or technical particulars, saying solely that “the vulnerability follows a well-recognized sample from final yr’s CosmicSting assault.”
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration developments.
