Critical Adobe Patches Address SessionReaper Vulnerability in Magento eCommerce Platform

Adobe has issued a warning regarding a critical vulnerability, identified as CVE-2025-54236, in its Commerce and Magento Open Source platforms. Researchers have dubbed this flaw “SessionReaper,” describing it as one of the most severe vulnerabilities in the product’s history. The vulnerability can be exploited without authentication, allowing attackers to take control of customer accounts via the Commerce REST API. On September 4, 2025, Adobe notified selected Commerce customers about an emergency fix scheduled for release on September 9. The update aims to resolve the critical vulnerability, which could lead to a security feature bypass. Customers using Adobe Commerce on Cloud are already protected by a web application firewall (WAF) rule implemented by Adobe as a temporary measure.

While Adobe has stated that it is not aware of any active exploitation of SessionReaper, e-commerce security company Sansec has noted that an initial hotfix for CVE-2025-54236 was leaked, potentially giving threat actors a head start in creating an exploit. Successful exploitation appears to depend on the default configuration of storing session data on the file system, which most stores utilise. Administrators are strongly advised to test and deploy the available patch immediately, as failure to do so may leave them vulnerable. The fix may disable certain internal Magento functionalities, which could disrupt custom or external code. Sansec researchers anticipate that CVE-2025-54236 will be exploited at scale, likening it to previous severe vulnerabilities such as CosmicSting and Shoplift. 

Categories: Security Vulnerability, Software Patch, E-commerce Threats 

Tags: Adobe, Vulnerability, CVE-2025-54236, SessionReaper, Patch, Exploitation, Magento, Security, E-commerce, REST API