Ethical Hacking News
Adobe has recently issued a critical security update for its Commerce and Magento Open Source platforms, which has raised concerns among e-commerce users and developers. The update, known as CVE-2025-54236, is described by researchers as one of the most severe flaws in the history of the product.
According to Adobe, the flaw was discovered through internal testing and vulnerability research, with no evidence of exploitation in the wild yet. However, this has raised concerns among security experts, who warn that the vulnerability could be used to bypass security features and take control of customer accounts through the Commerce REST API.
The patch, which is available for immediate deployment, aims to prevent customers from falling victim to this critical security issue. Adobe urges all affected users to apply the hotfix as soon as possible, warning that failure to do so may leave them vulnerable to this security issue, and Adobe will have limited means to help remediate.
In order to avoid falling victim to this critical security issue, administrators are strongly recommended to test and deploy the available patch immediately. The researchers warn that the fix disables internal Magento functionality that could lead to some custom or external code breaking.
The update has raised concerns among e-commerce users and developers, who are now advised to take extra precautions to secure their online stores. This critical security issue highlights the importance of staying up-to-date with the latest security patches and updates for your software and hardware.
Adobe has released a critical security update for its Commerce and Magento Open Source platforms due to a severe flaw known as CVE-2025-54236.The vulnerability could be used to bypass security features, take control of customer accounts through the Commerce REST API, and is considered one of the most severe flaws in the product's history.Adobe has notified "selected Commerce customers" of the upcoming emergency fix planned for September 9, but warns that failure to apply the patch may leave them vulnerable.The fix disables internal Magento functionality, which could lead to custom or external code breaking.R researchers expect CVE-2025-54236 to be abused via automation at scale due to its severity and similarity to past vulnerabilities like CosmicSting.
Adobe has recently issued a critical security update for its Commerce and Magento Open Source platforms, which has raised concerns among e-commerce users and developers. The update, known as CVE-2025-54236, is described by researchers as one of the most severe flaws in the history of the product.
According to Adobe, the flaw was discovered through internal testing and vulnerability research, with no evidence of exploitation in the wild yet. However, this has raised concerns among security experts, who warn that the vulnerability could be used to bypass security features and take control of customer accounts through the Commerce REST API.
Sansec, an e-commerce security company, has reported that Adobe notified "selected Commerce customers" on September 4th of the upcoming emergency fix planned for September 9. The company advises customers using Adobe Commerce on Cloud are already protected by a web application firewall (WAF) rule deployed by Adobe as an intermediate measure.
In order to avoid falling victim to this critical security issue, administrators are strongly recommended to test and deploy the available patch immediately. However, researchers warn that the fix disables internal Magento functionality that could lead to some custom or external code breaking.
Adobe has released a patch for the security issue that could be exploited without authentication to take control of customer accounts through the Commerce REST API. The company is urging customers to apply the hotfix as soon as possible and has warned that failure to do so may leave them vulnerable to this security issue, and Adobe will have limited means to help remediate.
Sansec researchers expect CVE-2025-54236 to be abused via automation, at scale. They note that the vulnerability is among the most severe Magento vulnerabilities in the history of the platform, alongside CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift.
Similar issues in the past were leveraged for session forging, privilege escalation, internal service access, and code execution.
To avoid falling victim to this critical security issue, administrators are strongly recommended to test and deploy the available patch immediately. The researchers warn that the fix disables internal Magento functionality that could lead to some custom or external code breaking.
The company is urging customers to apply the hotfix as soon as possible and has warned that failure to do so may leave them vulnerable to this security issue, and Adobe will have limited means to help remediate.
In order to avoid falling victim to this critical security issue, administrators are strongly recommended to test and deploy the available patch immediately. However, researchers warn that the fix disables internal Magento functionality that could lead to some custom or external code breaking.
Adobe has released a patch for the security issue that could be exploited without authentication to take control of customer accounts through the Commerce REST API. The company is urging customers to apply the hotfix as soon as possible and has warned that failure to do so may leave them vulnerable to this security issue, and Adobe will have limited means to help remediate.
Sansec researchers expect CVE-2025-54236 to be abused via automation, at scale. They note that the vulnerability is among the most severe Magento vulnerabilities in the history of the platform, alongside CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift.
Similar issues in the past were leveraged for session forging, privilege escalation, internal service access, and code execution.
The researchers warn that the SessionReaper exploit follows a familiar pattern from last year's CosmicSting attack.
To avoid falling victim to this critical security issue, administrators are strongly recommended to test and deploy the available patch immediately. However, researchers warn that the fix disables internal Magento functionality that could lead to some custom or external code breaking.
In order to avoid falling victim to this critical security issue, administrators are strongly recommended to test and deploy the available patch immediately.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Adobe-Alert-Critical-SessionReaper-Flaw-Patches-in-Magento-eCommerce-Platform-ehn.shtml
https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessionreaper-flaw-in-magento-ecommerce-platform/
Published: Tue Sep 9 11:56:43 2025 by llama3.2 3B Q4_K_M
