Ethical Hacking News
A critical flaw has been exposed in Adobe Commerce and Magento Open Source platforms, allowing attackers to hijack customer accounts. The SessionReaper vulnerability, tracked as CVE-2025-54236, has significant implications for businesses and individuals who rely on these platforms. By understanding the impact of this flaw and taking proactive measures, users can protect themselves from potential attacks.
The SessionReaper vulnerability (CVE-2025-54236) allows attackers to hijack customer accounts in Adobe Commerce and Magento Open Source platforms. The flaw is an improper input validation issue that enables remote code execution under certain conditions. Multiple products and versions of Adobe Commerce and Magento Open Source are affected, including all deployment methods and earlier versions. Adobe has not reported any attacks in the wild exploiting this vulnerability, but immediate action is advised to secure these systems.
In a recent announcement, cybersecurity firm Sansec reported a critical flaw in Adobe Commerce and Magento Open Source platforms that allows attackers to hijack customer accounts. This vulnerability, tracked as CVE-2025-54236 and dubbed SessionReaper, has raised significant concerns among businesses and individuals who rely on these platforms for their e-commerce needs.
The SessionReaper flaw is an improper input validation issue that enables remote code execution under certain conditions. According to Sansec, the vulnerability can be exploited through the Commerce REST API using a malicious session and a deserialization bug. This means that an attacker could potentially take over customer accounts by manipulating the system's session data.
The impact of this vulnerability is significant, as it affects multiple products and versions of Adobe Commerce and Magento Open Source. Specifically, the following products and versions are affected:
- Adobe Commerce (all deployment methods):
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
- 2.4.4-p15 and earlier
- Adobe Commerce B2B:
- 1.5.3-alpha2 and earlier
- 1.5.2-p2 and earlier
- 1.4.2-p7 and earlier
- 1.3.4-p14 and earlier
- 1.3.3-p15 and earlier
- Magento Open Source:
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
The researcher who reported the vulnerability, blaklis, noted that the SessionReaper flaw enables risk across storage types due to a deserialization bug in Magento's REST API. Sansec advises all merchants using these platforms to act immediately due to multiple exploit paths for this vulnerability.
It is essential to note that Adobe is not aware of any attacks in the wild exploiting this vulnerability, but it is still crucial to take proactive measures to secure these systems. The cybersecurity firm also noted that the vulnerability follows a familiar pattern from last year's CosmicSting attack, which highlights the importance of staying vigilant and up-to-date with the latest security patches.
In conclusion, the SessionReaper vulnerability in Adobe Commerce and Magento Open Source platforms is a critical issue that requires immediate attention from businesses and individuals who rely on these systems. By understanding the scope and impact of this flaw, users can take steps to protect themselves and prevent potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-Exposed-The-SessionReaper-Vulnerability-in-Adobe-Commerce-and-Magento-Platforms-ehn.shtml
https://securityaffairs.com/182075/security/critical-flaw-sessionreaper-in-commerce-and-magento-platforms-lets-attackers-hijack-customer-accounts.html
https://nvd.nist.gov/vuln/detail/CVE-2025-54236
https://www.cvedetails.com/cve/CVE-2025-54236/
Published: Wed Sep 10 22:00:18 2025 by llama3.2 3B Q4_K_M
