Adobe has disclosed a **critical vulnerability (CVE-2025-54236, dubbed *SessionReaper*)** in its **Commerce and Magento Open Source platforms**, allowing unauthenticated attackers to **bypass security features and hijack customer accounts** via the Commerce REST API. Though no active exploitation has been observed yet, a leaked hotfix may accelerate threat actor development of exploits. The flaw, deemed one of the most severe in Magento’s history, enables **session forging, privilege escalation, and potential code execution**—mirroring past high-impact vulnerabilities like *CosmicSting* and *Shoplift*.Adobe released an emergency patch on **September 9, 2025**, urging immediate deployment, as delayed action leaves systems exposed to **automated, large-scale attacks**. Cloud-based Adobe Commerce users received temporary protection via a WAF rule, but on-premise and unpatched instances remain at risk. The vulnerability’s exploitation relies on **default session storage configurations**, increasing its reach. Failure to patch could lead to **widespread account takeovers, financial fraud, and operational disruptions** for e-commerce businesses, with Adobe offering limited remediation support post-breach.Researchers warn of **high automation potential**, emphasizing the urgency for administrators to test and apply fixes despite potential compatibility issues with custom code.
TPRM report: https://www.rankiteo.com/company/adobe-commerce
"id": "ado1892518090925",
"linkid": "adobe-commerce",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Selected Adobe Commerce and '
'Magento Open Source customers '
'(exact number undisclosed)',
'industry': 'Technology',
'location': 'Global',
'name': 'Adobe',
'size': 'Large Enterprise',
'type': 'Software Vendor'}],
'attack_vector': ['Network', 'REST API Exploitation', 'Session Forging'],
'customer_advisories': ['Urgent recommendation to apply the patch '
'immediately.',
'Warning about potential custom code breakage due to '
'disabled internal functionality.',
'Guidance to test the patch in non-production '
'environments first.'],
'date_publicly_disclosed': '2025-09-04',
'date_resolved': '2025-09-09',
'description': 'Adobe has disclosed a critical vulnerability '
"(CVE-2025-54236), dubbed 'SessionReaper,' in its Commerce and "
'Magento Open Source platforms. The flaw allows '
'unauthenticated attackers to take control of customer '
'accounts via the Commerce REST API. Adobe released an '
'emergency patch on September 9, 2025, after notifying '
'selected customers on September 4. While no active '
'exploitation has been observed, a leaked hotfix may give '
'threat actors an advantage in developing exploits. The '
'vulnerability is considered one of the most severe in '
"Magento's history, with potential for automated, large-scale "
'abuse. Administrators are urged to apply the patch '
'immediately, though it may disrupt custom or external code '
'due to disabled internal Magento functionality.',
'impact': {'brand_reputation_impact': ['High (due to severity of '
'vulnerability and historical '
'context)'],
'data_compromised': ['Potential Customer Account Data (if '
'exploited)'],
'identity_theft_risk': ['High (if accounts are compromised)'],
'operational_impact': ['Potential disruption of custom/external '
'code due to patch',
'Urgent patching required'],
'systems_affected': ['Adobe Commerce',
'Magento Open Source (default file-system '
'session storage configurations)']},
'investigation_status': 'Ongoing (no active exploitation observed as of '
'disclosure)',
'lessons_learned': ['Critical vulnerabilities in widely used e-commerce '
'platforms can have severe, automated exploitation risks.',
'Proactive patching and interim mitigations (e.g., WAF '
'rules) are essential for high-severity flaws.',
'Leaked hotfixes can accelerate threat actor exploit '
'development, emphasizing the need for rapid response.',
'Default configurations (e.g., file-system session '
'storage) can amplify vulnerability impact.'],
'post_incident_analysis': {'corrective_actions': ['Patch deployment to '
'disable vulnerable '
'internal functionality.',
'WAF rule deployment for '
'cloud customers as interim '
'mitigation.',
'Documentation updates for '
'secure REST API usage.'],
'root_causes': ['Vulnerability in session handling '
'via Commerce REST API '
'(CVE-2025-54236).',
'Default configuration storing '
'session data on the file system '
'(common across most stores).',
'Potential leak of initial hotfix '
'accelerating exploit '
'development.']},
'recommendations': ['Immediately apply the Adobe-provided patch for '
'CVE-2025-54236.',
'Test the patch in staging environments to identify '
'potential disruptions to custom/external code.',
'Monitor for unusual REST API activity or session '
'anomalies.',
'Review and harden session storage configurations (avoid '
'default file-system storage if possible).',
'Follow Adobe’s updated REST API documentation for secure '
'implementation practices.',
'Consider deploying WAF rules or behavioral protection '
'for on-premise installations.'],
'references': [{'source': 'Sansec Advisory on SessionReaper'},
{'source': 'Adobe Security Bulletin for CVE-2025-54236'},
{'source': 'Adobe Commerce REST API Documentation Updates'}],
'response': {'adaptive_behavioral_waf': ['Deployed for Adobe Commerce on '
'Cloud as interim mitigation'],
'communication_strategy': ['Direct notifications to selected '
'customers (2025-09-04)',
'Public security bulletin',
'Urgent patching advisory'],
'containment_measures': ['WAF rule deployed for Adobe Commerce '
'on Cloud customers',
'Emergency patch release'],
'incident_response_plan_activated': True,
'remediation_measures': ['Patch deployment (disables internal '
'Magento functionality)',
'Updated REST API documentation'],
'third_party_assistance': ['Sansec (research and advisory)']},
'stakeholder_advisories': ['Adobe notified selected Commerce customers on '
'2025-09-04 about the upcoming patch.',
'Public advisory issued with patch release on '
'2025-09-09.'],
'title': 'Critical SessionReaper Vulnerability (CVE-2025-54236) in Adobe '
'Commerce and Magento Open Source',
'type': ['Vulnerability Disclosure',
'Security Feature Bypass',
'Unauthenticated Account Takeover'],
'vulnerability_exploited': 'CVE-2025-54236 (SessionReaper - Session Data '
'Storage on File System)'}