Adobe has issued a warning about a critical security flaw in its Commerce and Magento Open Source platforms, which could allow attackers to take control of customer accounts. This vulnerability, identified as CVE-2025-54236 and dubbed “SessionReaper,” has a score of 9.1 on the CVSS scale, indicating its high severity. According to Adobe, a potential attacker could exploit this flaw through the Commerce REST API.
A problem they are aware of at Adobe
The flaw is described as an inappropriate input validation error, and although the company has not confirmed the existence of exploits in the wild, security experts such as the firm Sansec have indicated that they have been able to reproduce at least one method to exploit the vulnerability. “SessionReaper” is considered one of the most severe vulnerabilities in Magento’s history, comparable to previous incidents like Shoplift in 2015 and CosmicSting in 2024.
Adobe has responded to this threat by releasing a hotfix and web application firewall (WAF) rules to protect merchants using Adobe Commerce, specifically in the Cloud infrastructure. The recommendation for merchants is to update quickly, especially those using file-based session storage, although all merchants using Redis or database sessions are advised to take immediate action, as there are multiple ways to exploit the vulnerability.
In addition to this vulnerability, Adobe has also released fixes for a critical flaw in ColdFusion, designated as CVE-2025-54261, which can allow arbitrary writes to the file system, with a CVSS score of 9.0. This situation highlights the importance of keeping systems and applications up to date, in a context where cybersecurity is becoming increasingly crucial.
