Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
Critical "SessionReaper" Vulnerability in Adobe Commerce and Magento
Published: 00:00 09/13/2025
Podatności
Adobe Warns About "SessionReaper" Flaw
Adobe has issued a warning regarding a critical vulnerability in Adobe Commerce and Magento Open Source platforms. The flaw, designated as CVE-2025-54236 and named "SessionReaper", has received a CVSS score of 9.1, classifying it as a critical severity threat.
What is the Threat?
The vulnerability stems from an input validation error and allows an attacker to take over customer accounts via the Commerce REST API. The attack does not require complex actions and can lead to serious consequences for online stores using these platforms.
Numerous versions of Adobe Commerce, Magento Open Source, and the Custom Attributes Serializable module (versions 0.1.0-0.4.0) are affected.
Remediation and Risk Assessment
Although no active exploitation of this flaw has been recorded to date, Adobe has already released a hotfix and implemented appropriate WAF (Web Application Firewall) rules for its cloud customers.
Sansec, an e-commerce security firm, has rated "SessionReaper" as one of the most severe vulnerabilities in Magento's history, placing it on par with incidents like Shoplift (2015), TrojanOrder (2022), and CosmicSting (2024).
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Podatności
Critical Flaw in GitLab: Urgent Update Required!
GitLab has released a critical security update patching vulnerability CVE-2025-8243 (CVSS 9.9), which allows for unauthorized execution of CI/CD pipelines and project takeover.
24.09.2025
3 min
Podatności
Top Critical Vulnerabilities of the Week: September 2025
A review of the most dangerous cybersecurity vulnerabilities reported in the second week of September 2025—priority flaws concern Windows, Microsoft Office, Android, and ICS.
12.09.2025
4 min
Podatności
Cl0p Steals Data Through Oracle Vulnerability – Is Your Company Next in Line?
The Cl0p ransomware group exploited a zero-day in Oracle E-Business Suite (CVE-2025-61882), stealing data from multiple companies in August. Oracle just released a patch, but experts warn: check your systems now, as attacks continue.
06.10.2025
4 min
Comments
Loading comments...