Adobe has issued a critical warning about a severe vulnerability in its Commerce and Magento Open Source platforms. The flaw, which researchers have named SessionReaper, is considered one of the most serious in the product's history.
The software company released a patch for the security issue today, September 9, 2025. The vulnerability, identified as CVE-2025-54236, could allow an attacker to take control of customer accounts without needing any authentication. This is possible through the Commerce REST API.
According to the e-commerce security company Sansec, Adobe privately notified some of its Commerce customers about the upcoming emergency fix. Adobe's official security bulletin confirms that it is not aware of any active exploitation of the vulnerability in the wild, a sentiment echoed by Sansec. However, a hotfix was leaked last week, which may have given malicious actors a head start in creating an exploit.
Researchers found that the vulnerability appears to be exploitable on stores using the default configuration of storing session data on the file system. Administrators are strongly advised to apply the patch immediately. The patch does disable some internal functionality, which could potentially break custom or external code. Adobe has updated its documentation to help with this.
Sansec researchers believe that SessionReaper could be abused on a large scale through automated attacks. They rank it among the most severe Magento vulnerabilities ever, alongside past flaws like CosmicSting and Shoplift. Similar issues in the past have been used for privilege escalation and code execution. Sansec was able to reproduce the exploit but did not release the code or technical details.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
