A Flaw in Adobe Commerce (CVE-2025-54236) Allows Hackers to Take Over Customer Accounts
A Flaw in Adobe Commerce (CVE-2025-54236) Allows Hackers to Take Over Customer Accounts
Adobe has alerted users to a serious security vulnerability in its open-source Magento and Commerce platforms that, if properly exploited, may give hackers access to user accounts.
The vulnerability, known as SessionReaper and tracked as CVE-2025-54236, has a CVSS score of 9.1 out of a possible 10.0. This problem has been characterized as insufficient input validation. According to Adobe, there are no known exploits in the wild.
“A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API,” Adobe stated in a warning that was released.
The following products and versions are affected by the problem:
Adobe Commerce (all deployment methods):
- 4.9-alpha2 and earlier
- 4.8-p2 and earlier
- 4.7-p7 and earlier
- 4.6-p12 and earlier
- 4.5-p14 and earlier
- 4.4-p15 and earlier
Adobe Commerce B2B:
- 5.3-alpha2 and earlier
- 5.2-p2 and earlier
- 4.2-p7 and earlier
- 3.4-p14 and earlier
- 3.3-p15 and earlier
Magento Open Source:
- 4.9-alpha2 and earlier
- 4.8-p2 and earlier
- 4.7-p7 and earlier
- 4.6-p12 and earlier
- 4.5-p14 and earlier
Custom Attributes Serializable module:
- Versions 0.1.0 to 0.4.0
Adobe stated it has implemented web application firewall (WAF) rules to guard against exploitation attempts that might target businesses utilizing Adobe Commerce on Cloud infrastructure, in addition to delivering a solution for the issue.
“SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),” Sansec, an e-commerce security firm, stated.
Although the Netherlands-based company claimed to have successfully replicated one potential exploit for CVE-2025-54236, it pointed out that there are additional potential ways to turn the vulnerability into a weapon.
“The vulnerability follows a familiar pattern from last year’s CosmicSting attack,” it stated. “The attack combines a malicious session with a nested deserialization bug in Magento’s REST API.”
It seems that file-based session storage is necessary for the particular remote code execution vector. However, as there are several ways to exploit this issue, we advise merchants who use Redis or database sessions to also act right away.
A significant path traversal vulnerability in ColdFusion (CVE-2025-54261, CVSS score: 9.0) that might result in an unauthorized file system write has also been fixed by Adobe. It affects all platforms for ColdFusion 2021 (Update 21 and earlier), 2023 (Update 15 and earlier), and 2025 (Update 3 and earlier).
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Chinese APT41 Hackers Targeted U.S. Trade Officials Amid 2025 Negotiations
About Author
English