Critical Security Flaw in Adobe’s Commerce Platforms
Adobe has issued an urgent warning regarding a significant vulnerability affecting its Commerce and Magento Open Source platforms. Dubbed CVE-2025-54236, or SessionReaper, this flaw carries a high CVSS score of 9.1—indicating a critical risk. If exploited, it could permit attackers to seize control of customer accounts, raising serious security concerns for businesses using these platforms.
Nature of the Vulnerability
The vulnerability stems from improper input validation, which could potentially allow malicious actors to exploit the Commerce REST API. Although Adobe has not reported any active exploitation of this flaw in the wild, the implications for customer accounts are severe enough that immediate attention is warranted.
Affected Products and Versions
The following Adobe Commerce and Magento Open Source versions are impacted:
Adobe Commerce (all deployment methods)
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
- 2.4.4-p15 and earlier
Adobe Commerce B2B
- 1.5.3-alpha2 and earlier
- 1.5.2-p2 and earlier
- 1.4.2-p7 and earlier
- 1.3.4-p14 and earlier
- 1.3.3-p15 and earlier
Magento Open Source
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
Proactive Measures from Adobe
In response to this critical flaw, Adobe has not only released a hotfix but has also implemented web application firewall (WAF) rules designed to safeguard environments from possible exploitation attempts. This proactive step is especially crucial for merchants operating Adobe Commerce on Cloud infrastructure.
Comparisons to Historical Vulnerabilities
Security experts, including those at the e-commerce security company Sansec, have drawn parallels between SessionReaper and some of the most notable vulnerabilities in Magento’s history, such as Shoplift (2015) and CosmicSting (2024). The firm has successfully identified a potential method to exploit this flaw while noting that there are multiple avenues to weaponize it.
Specifics of the Exploitation
Sansec identifies that the exploitation method mirrors patterns seen in previous attacks. The combination of a harmful session with a nested deserialization bug in Magento’s REST API is a cause for significant concern. Although initial findings suggest that specific remote code execution requires file-based session storage, merchants utilizing Redis or database sessions are still advised to implement immediate security measures due to the various abuse methods available.
Additional Vulnerabilities Addressed
In addition to the SessionReaper issue, Adobe has also addressed another serious flaw involving ColdFusion. Titled CVE-2025-54261 and rated with a CVSS score of 9.0, this vulnerability could enable arbitrary file system writes. It’s critical for users of ColdFusion 2021 (Update 21 and earlier), 2023 (Update 15 and earlier), and 2025 (Update 3 and earlier) across all platforms to be aware of and remediate this risk.
Conclusion: The Importance of Vigilance
The details surrounding the SessionReaper vulnerability reinforce the need for constant vigilance concerning software security. Organizations using Adobe Commerce and Magento platforms must prioritize updating their systems and implementing recommended fixes to safeguard customer data and business operations.
