Adobe Commerce and Magento Vulnerability Allows Account Takeover

Adobe has disclosed a critical vulnerability (CVE-2025-54236) affecting its Commerce and Magento platforms. Researchers have dubbed the flaw SessionReaper, describing it as one of the most serious bugs in the history of these products.

The issue has been assigned a CVSS severity score of 9.1 out of 10. According to Adobe, it can be exploited without authentication to take over customer accounts via the Commerce REST API.

Patch Released

Adobe issued a patch for the flaw on September 9, after privately notifying “select Commerce customers” of the upcoming fix on September 4, per cybersecurity firm Sansec. Customers using Adobe Commerce on Cloud were already shielded by a temporary WAF (Web Application Firewall) rule deployed by Adobe.

So far, neither Adobe nor Sansec has observed real-world exploitation of SessionReaper. However, Sansec noted that an early hotfix for CVE-2025-54236 leaked online last week—giving attackers additional time to develop working exploits.

How the Exploit Works

Researchers explain that successful exploitation depends on session data being stored in the file system—a default configuration for most deployments.

Administrators are strongly urged to apply the official patch immediately. Sansec warns, however, that the fix disables certain internal Magento functions, which could cause issues for custom modules or third-party code.

Serious Security Risk

Sansec expects CVE-2025-54236 to be weaponized in automated, large-scale attacks. The firm places it among the most critical vulnerabilities ever found in Magento, alongside CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift.

Historically, flaws of this nature have enabled session hijacking, privilege escalation, access to internal services, and even remote code execution—making timely patching essential.