Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts

Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts

Posted on By CWS

Sep 10, 2025Ravie LakshmananVulnerability / Software program Safety
Adobe has warned of a important safety flaw in its Commerce and Magento Open Supply platforms that, if efficiently exploited, may permit attackers to take management of buyer accounts.
The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS rating of 9.1 out of a most of 10.0. It has been described as an improper enter validation flaw. Adobe stated it isn’t conscious of any exploits within the wild.
“A possible attacker may take over buyer accounts in Adobe Commerce by means of the Commerce REST API,” Adobe stated in an advisory issued immediately.
The difficulty impacts the next merchandise and variations –

Adobe Commerce (all deployment strategies):

2.4.9-alpha2 and earlier
2.4.8-p2 and earlier
2.4.7-p7 and earlier
2.4.6-p12 and earlier
2.4.5-p14 and earlier
2.4.4-p15 and earlier

Adobe Commerce B2B:

1.5.3-alpha2 and earlier
1.5.2-p2 and earlier
1.4.2-p7 and earlier
1.3.4-p14 and earlier
1.3.3-p15 and earlier

Magento Open Supply:

2.4.9-alpha2 and earlier
2.4.8-p2 and earlier
2.4.7-p7 and earlier
2.4.6-p12 and earlier
2.4.5-p14 and earlier

Customized Attributes Serializable module:

Adobe, along with releasing a hotfix for the vulnerability, stated it has deployed internet utility firewall (WAF) guidelines to guard environments towards exploitation makes an attempt which will goal retailers utilizing Adobe Commerce on Cloud infrastructure.

“SessionReaper is among the extra extreme Magento vulnerabilities in its historical past, akin to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),” e-commerce safety firm Sansec stated.

The Netherlands-based agency stated it efficiently reproduced one attainable option to exploit CVE-2025-54236, however famous that there are different attainable avenues to weaponize the vulnerability.
“The vulnerability follows a well-recognized sample from final yr’s CosmicSting assault,” it added. “The assault combines a malicious session with a nested deserialization bug in Magento’s REST API.”
“The precise distant code execution vector seems to require file-based session storage. Nevertheless, we suggest retailers utilizing Redis or database periods to take quick motion as nicely, as there are a number of methods to abuse this vulnerability.”
Adobe has additionally shipped fixes to comprise a important path traversal vulnerability in ColdFusion (CVE-2025-54261, CVSS rating: 9.0) that might result in an arbitrary file system write. It impacts ColdFusion 2021 (Replace 21 and earlier), 2023 (Replace 15 and earlier), and 2025 (Replace 3 and earlier) on all platforms.

The Hacker News Tags:, , , , , , ,

Related Posts

INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty The Hacker News
Business Case for Agentic AI SOC Analysts Business Case for Agentic AI SOC Analysts The Hacker News
Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome The Hacker News
New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks The Hacker News
Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw The Hacker News
U.S. DoJ Seizes Fraud Domain Behind .6 Million Bank Account Takeover Scheme U.S. DoJ Seizes Fraud Domain Behind $14.6 Million Bank Account Takeover Scheme The Hacker News