Article Details
Scrape Timestamp (UTC): 2025-09-10 01:11:43.094
Source: https://thehackernews.com/2025/09/adobe-commerce-flaw-cve-2025-54236-lets.html
Original Article Text
Click to Toggle View
Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts. Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts. The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it's not aware of any exploits in the wild. "A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API," Adobe said in an advisory issued today. The issue impacts the following products and versions - Adobe Commerce (all deployment methods): Adobe Commerce B2B: Magento Open Source: Custom Attributes Serializable module: Adobe, in addition to releasing a hotfix for the vulnerability, said it has deployed web application firewall (WAF) rules to protect environments against exploitation attempts that may target merchants using Adobe Commerce on Cloud infrastructure. "SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024)," e-commerce security company Sansec said. The Netherlands-based firm said it successfully reproduced one possible way to exploit CVE-2025-54236, but noted that there are other possible avenues to weaponize the vulnerability. "The vulnerability follows a familiar pattern from last year's CosmicSting attack," it added. "The attack combines a malicious session with a nested deserialization bug in Magento's REST API." "The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability." Adobe has also shipped fixes to contain a critical path traversal vulnerability in ColdFusion (CVE-2025-54261, CVSS score: 9.0) that could lead to an arbitrary file system write. It impacts ColdFusion 2021 (Update 21 and earlier), 2023 (Update 15 and earlier), and 2025 (Update 3 and earlier) on all platforms.
Daily Brief Summary
Adobe has identified a critical security flaw, CVE-2025-54236, in its Commerce and Magento Open Source platforms, potentially allowing attackers to control customer accounts.
The vulnerability, named SessionReaper, scores 9.1 on the CVSS scale and involves improper input validation via the Commerce REST API.
Adobe has issued a hotfix and implemented web application firewall rules to protect against potential exploitation attempts targeting its cloud infrastructure.
E-commerce security firm Sansec notes SessionReaper's severity, comparing it to past significant Magento vulnerabilities like Shoplift and TrojanOrder.
The flaw involves a malicious session and a nested deserialization bug, with multiple exploitation paths, including a remote code execution vector requiring file-based session storage.
Merchants using Redis or database sessions are advised to take immediate action, as various avenues exist to exploit this vulnerability.
Adobe has also addressed a critical path traversal vulnerability in ColdFusion, CVE-2025-54261, which could lead to arbitrary file system writes, affecting multiple versions across platforms.