Adobe Commerce Flaw CVE-2025-54236 Hackers can take over customer accounts

September 10, 2025Ravi LakshmananVulnerabilities/Software Security

Adobe has warned of critical security flaws in its commercial and Magento’s open source platform, allowing attackers to control customer accounts.

The vulnerability tracked as CVE-2025-54236 (aka SessionReaper) carries a CVSS score of up to 9.1 out of 10.0. It is described as a defect in inappropriate input verification. Adobe said they don’t know about exploits in the wild.

“Potential attackers can take over Adobe Commerce customer accounts through the Commerce Rest API,” Adobe said in an advisory published today.

This issue affects the following products and versions –

Adobe Commerce (all deployment methods):

2.4.9-alpha2 and previous 2.4.8-P2 and previous 2.4.7-P7 and early 2.4.6-P12 and early 2.4.5-P14 and earlier 2.4.4-P15 and earlier

Adobe Commerce B2B:

1.5.3-alpha2 and 1.5.2-P2 and 1.4.2-P7 and 1.3.4-P14 and 1.3.3-P15 and 1.3.3-P15 and 1.5.2-P2

Magento Open Source:

2.4.9-alpha2 and previous 2.4.8-P2 and previous 2.4.7-P7 and previous 2.4.6-P12 and previous 2.4.5-P14 and earlier

Custom Attribute Serializable Module:

In addition to releasing HotFix for the vulnerability, Adobe said it had deployed Web Application Firewall (WAF) rules to protect environments that could target sellers using Adobe Commerce, a cloud infrastructure.

“SessionReaper is one of the more serious magent vulnerabilities in history comparable to Shoplift (2015), Ambionics SQLI (2019), Trojanorder (2022) and Cosmicsting (2024).”

The Netherlands-based company said it had successfully replicated one of the possible ways to utilize CVE-2025-54236, but noted that there are other possible ways to weaponize vulnerabilities.

“The vulnerability follows the familiar pattern of last year’s space attacks,” he added. “This attack combines malicious sessions with nested agile deserialization bugs in Magento’s REST API.”

“Specific remote code execution vectors appear to require file-based session storage. However, there are multiple ways to exploit this vulnerability, so we recommend that you use Redis or a database session to perform actions immediately.”

Adobe has also shipped fixes that contain a critical past traversal vulnerability in ColdFusion (CVE-2025-54261, CVSS score: 9.0) that can lead to writing to any file system. It will affect all platforms in ColdFusion 2021 (update 21 and earlier), 2023 (under 15), and 2025 (update 3 and earlier).