Urgent Security Advisory from Adobe: What You Need to Know About CVE-2025-54236
Adobe has recently issued a crucial security advisory pertaining to a vulnerability known as CVE-2025-54236, also referred to as SessionReaper. This issue affects Adobe Commerce and Magento Open-Source platforms. With a critical CVSS score of 9.1 out of 10, it signals a serious risk that could result in unauthorized access and the potential compromise of customer accounts via the Commerce REST API.
Understanding CVE-2025-54236
CVE-2025-54236 is categorized as an improper input validation vulnerability. According to Adobe, this flaw can be exploited by a malicious actor using the Commerce REST API to gain full control over customer accounts. While there are no confirmed instances of this vulnerability being actively exploited, Adobe has underlined its significance, urging users to implement security patches as an immediate measure.
“A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API,” the advisory states (APSB25-88). This serves as a stark reminder of the vulnerabilities within widely used e-commerce systems.
Affected Products and Versions
This vulnerability impacts several versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. The specific versions at risk include:
- Adobe Commerce: Versions 2.4.9-alpha2 and earlier
- Magento Open Source: Versions 2.4.9-alpha2 and earlier
- Adobe Commerce B2B: Versions 1.5.3-alpha2 and earlier
- Custom Attributes Serializable Module: Versions 0.1.0 to 0.4.0
For a complete list of affected versions, refer to Adobe’s dedicated security bulletin.
The Patch: VULN-32437-2-4-X
To mitigate the risk posed by this vulnerability, Adobe has released a hotfix identified as VULN-32437-2-4-X-patch. Users are strongly encouraged to apply this patch at the earliest convenience. Ignoring this security update could leave systems vulnerable, and Adobe may be limited in its ability to provide support without the patch in place.
For those operating with the Custom Attributes Serializable module, an upgrade to version 0.4.0 or later is essential. Users can execute the following Composer command to make this update:
plaintext
composer require magento/out-of-process-custom-attributes=0.4.0 –with-dependencies
Protection for Cloud and Managed Services Users
If you are hosted on Adobe Commerce Cloud infrastructure, Adobe has already put Web Application Firewall (WAF) rules in place to help block potential exploitation attempts. Users on Managed Services should consult their Customer Success Engineer for assistance in applying the fix.
However, it’s important to understand that while WAF rules provide a layer of security, they do not eliminate the necessity of implementing the patch. These measures are interim solutions and should not be treated as a long-term fix.
Verifying the Patch
To confirm that the patch has been successfully applied, Adobe recommends using the Quality Patches Tool. For example, to check if a specific patch like VULN-27015-2.4.7_COMPOSER.patch has been installed, users can execute the following command:
plaintext
vendor/bin/magento-patches -n status | grep "27015|Status"
This command will yield an “Applied” status if the patch is effectively active, providing reassurance to administrators who need to validate the compliance of their systems.
The vulnerability was initially reported to Adobe by an independent security researcher known as blaklis. While no evidence suggests that SessionReaper has been weaponized, its potential implications for e-commerce businesses are substantial.
Urgent Call to Action
Given the extensive use of Adobe Commerce and Magento Open Source platforms in the e-commerce sector, the emergence of SessionReaper should raise immediate concerns. Organizations utilizing any affected versions must take prompt action:
- Apply the VULN-32437-2-4-X patch without delay.
- Upgrade the Custom Attributes Serializable module to version 0.4.0 or higher.
- Confirm patch application with Adobe’s recommended verification tools.
- Seek assistance from Adobe support or Customer Success Engineers as needed.
Adobe has made the latest security updates available via its official security bulletin, where users can find detailed instructions for applying security patches and other necessary resources to ensure system safety.
