Adobe has released an urgent patch for a critical vulnerability in its Commerce and Magento Open Source platforms. The flaw, tracked as CVE-2025-54236 and dubbed SessionReaper by researchers, allows attackers to bypass security checks and take over customer accounts through the Commerce REST API without requiring authentication. Security firm Sansec described the issue as one of the most severe vulnerabilities in Magento’s history.
The company privately warned select Commerce customers on September 4, ahead of the public patch release on September 9, 2025. While Adobe Commerce Cloud customers were temporarily shielded by a web application firewall (WAF) rule, on-premises and open-source deployments remain at high risk until the fix is fully applied. Adobe emphasized that there is no evidence of in-the-wild exploitation yet, but acknowledged the seriousness of the threat.
Source: adobe.com.
Concerns were heightened when Sansec reported that a hotfix for CVE-2025-54236 had leaked last week. This leak could give attackers a head start in developing exploits, even before many administrators had the chance to deploy the official update. The vulnerability is particularly dangerous because it appears tied to session data stored on the file system — a default setup for most Magento stores.adob~
Administrators are being urged to test and deploy the patch immediately. Adobe warns that the update modifies internal REST API functionality and may break some custom or third-party code. To mitigate this risk, Adobe has updated its documentation to guide developers through changes in constructor parameter injection. Still, the company stressed that unpatched systems will remain vulnerable, with limited remediation options available after compromise.
Researchers expect SessionReaper to be weaponized quickly and at scale, similar to past high-profile Magento flaws such as CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift. These earlier attacks were exploited for privilege escalation, session forging, internal service access, and even full remote code execution, often leading to widespread compromise of e-commerce platforms.
Sansec confirmed it successfully reproduced the SessionReaper exploit but has withheld technical details to prevent immediate abuse. The firm noted, however, that the vulnerability follows a familiar exploitation pattern seen in last year’s CosmicSting attack, making it highly likely that attackers will adapt existing tooling for automated campaigns.
E-commerce operators running Adobe Commerce or Magento should treat the SessionReaper flaw as a top-priority emergency patch. Applying the fix immediately, testing integrations, and enabling layered defenses like WAFs and multi-factor authentication are essential to protecting customer accounts. With a leaked hotfix already in circulation, the window before widespread exploitation may be short.
