Adobe has issued a severe security warning about a critical vulnerability in its Commerce and Magento Open Source platforms, giving it the name SessionReaper. This flaw, identified as CVE-2025-54236, has a high CVSS score of 9.1 and could allow attackers to gain full control of customer accounts through the Commerce REST API. Adobe noted that it hasn’t detected any active exploits in the wild, but the risk is significant enough to require immediate action from users.
The vulnerability is described as an improper input validation flaw, a common issue where an application fails to properly sanitize user-provided data, leading to a variety of potential attacks. It affects a wide range of versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. Additionally, the Custom Attributes Serializable module, versions 0.1.0 to 0.4.0, is also impacted. Adobe has released a hotfix and has also deployed web application firewall rules to protect cloud environments from potential attacks.
Security experts at Sansec have likened the severity of SessionReaper to other historic Magento vulnerabilities, such as Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024). Sansec successfully created a proof-of-concept exploit that shows how an attack could work, combining a malicious session with a nested deserialization bug in Magento’s REST API. This exploit shares a similar pattern with last year’s CosmicSting attack.
The most straightforward way to exploit the vulnerability seems to require file-based session storage. However, experts are urging all merchants to take immediate action, including those using Redis or database sessions, as other methods to exploit the flaw are likely possible. The broad range of affected products and versions highlights the urgency for all users to apply the patches or hotfixes provided by Adobe to secure their platforms and protect their customers.
In addition to the SessionReaper vulnerability, Adobe has also released fixes for another critical security flaw in ColdFusion. This vulnerability, tracked as CVE-2025-54261 with a CVSS score of 9.0, is a path traversal bug that could allow attackers to write arbitrary files to the file system. It affects specific versions of ColdFusion 2021, 2023, and 2025 across all platforms.
Reference:
