Ethical Hacking News
A critical vulnerability has been discovered in the Adobe Commerce and Magento Open Source platforms, allowing attackers to take control of customer accounts. This article delves into the details of the identified flaw, its impact, and the necessary steps for merchants and developers to take to mitigate this risk.
Adobe Commerce and Magento Open Source platforms have a critical vulnerability (CVE-2025-54236) that allows attackers to take control of customer accounts. The vulnerability has a CVSS score of 9.1, indicating its severity and potential impact. Affected versions range from 2.4.9-alpha2 and earlier for Adobe Commerce, and 1.5.3-alpha2 and earlier for Adobe Commerce B2B. ColdFusion (CVE-2025-54261) also has a critical path traversal vulnerability with a CVSS score of 9.0. Adobe has released hotfixes and deployed web application firewall rules to protect against exploitation attempts. Sansec recommends upgrading storage solutions to minimize the risk associated with CVE-2025-54236.
Adverse news has been circulating within the cybersecurity community regarding a critical vulnerability discovered in the Adobe Commerce and Magento Open Source platforms. The identified flaw, tracked as CVE-2025-54236 (aka SessionReaper), is described as an improper input validation flaw that can potentially allow attackers to take control of customer accounts.
As per Adobe's advisory issued on September 10, 2025, the vulnerability has a CVSS score of 9.1 out of a maximum of 10.0, indicating its severity and potential impact. The issue affects various products and versions, including Adobe Commerce (all deployment methods), Adobe Commerce B2B, and Magento Open Source.
The affected versions range from 2.4.9-alpha2 and earlier to 2.4.4-p15 and earlier for Adobe Commerce, and 1.5.3-alpha2 and earlier to 1.3.3-p15 and earlier for Adobe Commerce B2B. For Magento Open Source, the vulnerable versions span from 2.4.9-alpha2 and earlier to 2.4.6-p12 and earlier.
A critical path traversal vulnerability in ColdFusion (CVE-2025-54261) is another notable concern, with a CVSS score of 9.0. This issue impacts ColdFusion 2021 (Update 21 and earlier), 2023 (Update 15 and earlier), and 2025 (Update 3 and earlier).
Adobe has taken immediate action by releasing hotfixes for both vulnerabilities. Furthermore, the company has deployed web application firewall rules to protect environments against exploitation attempts that may target merchants using Adobe Commerce on Cloud infrastructure.
Sansec, a reputable e-commerce security firm, has successfully reproduced one possible way to exploit CVE-2025-54236 and notes that there are other potential avenues to weaponize this vulnerability. The Netherlands-based company emphasizes the importance of using Redis or database sessions instead of file-based session storage to minimize the risk associated with this flaw.
The attack combines a malicious session with a nested deserialization bug in Magento's REST API, indicating a possible remote code execution vector that requires file-based session storage. Sansec recommends merchants take immediate action and consider upgrading their storage solution as there are multiple ways to abuse this vulnerability.
This critical flaw highlights the importance of regular software updates, thorough testing, and a robust security posture for e-commerce platforms. Merchants and developers must stay vigilant and act swiftly to patch these vulnerabilities before they can be exploited by malicious actors.
In conclusion, the discovery of CVE-2025-54236 in Adobe Commerce and Magento Open Source platforms underscores the need for vigilance within the e-commerce community. By staying informed and taking proactive measures, individuals and organizations can minimize their risk exposure and protect themselves against potential security breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-Adobe-Commerce-and-Magento-Open-Source-Platforms-A-Warning-for-Merchants-and-Developers-ehn.shtml
https://thehackernews.com/2025/09/adobe-commerce-flaw-cve-2025-54236-lets.html
https://cyberwebspider.com/blog/the-hacker-news/adobe-commerce-flaw-cve-2025-54236-lets-hackers-take-over-customer-accounts/
https://nvd.nist.gov/vuln/detail/CVE-2025-54236
https://www.cvedetails.com/cve/CVE-2025-54236/
https://nvd.nist.gov/vuln/detail/CVE-2025-54261
https://www.cvedetails.com/cve/CVE-2025-54261/
Published: Tue Sep 9 20:47:14 2025 by llama3.2 3B Q4_K_M
