By Sead Fadilpašić
Copyright techradar
Skip to main content
Tech Radar Pro
Tech Radar Gaming
Close main menu
the business technology experts
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
View Profile
Search TechRadar
Expert Insights
Website builders
Web hosting
Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights
Don’t miss these
One of the world’s most popular CMS tools has an embarrassing security flaw, so patch immediately
SAP users patch now – worrying S/4HANA vulnerability being exploited in the wild
Top CMS Sitecore patches critical zero-day flaw being hit by hackers
CitrixBleed 2 flaws are officially here – so get patching or leave your systems at risk
Citrix patches a trio of high-severity security bugs, so be on your guard
CISA warns hackers are actively exploiting critical CitrixBleed 2
CitrixBleed 2 exploits are now in the wild, so patch now
Hackers hit SAP security bug to send out nasty Linux malware
A key Asus Windows tool has a worrying security flaw – here’s how to stay safe
Cisco warns of worrying major security flaw in firewall command center, so patch now
Thousands of ecommerce sites at risk after popular CMS targeted by malware attack — here’s what you need to know
A critical Docker Desktop security flaw puts Windows hosts at risk of attack, so patch now
Security experts flag another worrying issue with Anthropic AI systems – here’s what they found
Top file transfer tool CrushFTP says a thousand servers are still vulnerable to cyberattack, so patch now
Microsoft releases urgent SharePoint security flaw patches – here’s what you need to know, and how to update
Adobe patches ‘most severe’ flaw in Magento eCommerce platform
Sead Fadilpašić
10 September 2025
The company found a bug that could lead to full account takeover
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock)
Adobe patched a critical Web API flaw in Commerce and Magento
The bug, dubbed SessionReaper, scored 9.1/10 and affects multiple versions
Researchers warn the leaked hotfix may aid attackers
Adobe has patched a critical vulnerability in its Commerce and Magento Open Source platforms that could lead to full account takeover.
In a recently published security advisory, Adobe said it fixed an Improper Input Validation (CWE-20) vulnerability affecting the ServiceInputProcessor component of the Web API.
In other words, it allows malicious, improperly validated API requests to bypass security controls. Researchers dubbed it SessionReaper.
You may like
One of the world’s most popular CMS tools has an embarrassing security flaw, so patch immediately
SAP users patch now – worrying S/4HANA vulnerability being exploited in the wild
Top CMS Sitecore patches critical zero-day flaw being hit by hackers
Most severe flaw ever
The bug is now tracked as CVE-2025-54236 and has been given a severity score of 9.1/10 (critical) on the National Vulnerability Database (NVD).
Vulnerable versions include 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier, the NVD page says.
“A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.” Adobe Commerce on Cloud customers are protected by a web application firewall (WAF), the company confirmed.
The company says it is not aware of any exploits in the wild but, according to BleepingComputer, describes it as “the most severe” flaw in the history of the platform.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
A patch was released on September 9, and customers are urged to apply it without delay. “Please apply the hotfix as soon as possible. If you fail to do so, you will be vulnerable to this security issue, and Adobe will have limited means to help remediate,” Adobe warned.
While there is no evidence of in-the-wild abuse, security outfit Sansec said the initial hotfix for SessionReaper was leaked a few days ago, which could allow malicious actors to reverse-engineer it and find additional holes to exploit, BleepingComputer reported.
At the same time, some researchers believe deploying the fix could break some external code breaking, since it disables certain Magento functionalities.
Via BleepingComputer
You might also like
Half of industrial PCs hit by cyberattacks last year
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers
Sead Fadilpašić
Social Links Navigation
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
One of the world’s most popular CMS tools has an embarrassing security flaw, so patch immediately
SAP users patch now – worrying S/4HANA vulnerability being exploited in the wild
Top CMS Sitecore patches critical zero-day flaw being hit by hackers
CitrixBleed 2 flaws are officially here – so get patching or leave your systems at risk
Citrix patches a trio of high-severity security bugs, so be on your guard
CISA warns hackers are actively exploiting critical CitrixBleed 2
Latest in Security
UK Electoral Commission finally recovered from China hack after three years and £250,000 grant
Hackers abuse TOR network and misconfigured Docker APIs to steal crypto – so keep an eye on your wallet
New Android RAT uses Near Field Communication to automatically steal money from devices
$10 million bounty issued by US DOJ for ransomware kingpin responsible for $18 billion of damage
Hackers are abusing hotel booking notifications to steal credentials in a new phishing campaign
New Salt Typhoon domains discovered dating back 5 years – businesses urged to check DNS logs
Latest in News
Massive Nintendo Direct confirmed this week – here’s where and how to watch live
Now you see me, now you don’t – Mullvad introduces QUIC to disguise WireGuard traffic
Netflix drops first explosive trailer for The RIP, but Ben Affleck and Matt Damon fans have got a lengthy wait for the crime thriller’s release
macOS Tahoe 26 comes with a big money-saving upgrade for fixing Macs – and it’s landing next week
Canon revives its trending point-and-shoot compact – but it’s a pricier downgrade that belongs in 2016
DJI just accidentally leaked its new Osmo Nano action cam – and it looks like a strong Insta360 rival
LATEST ARTICLES
You can preorder Apple’s AirPods Pro 3 for as little as $120 at Best Buy – here’s how
How to get started in Minecraft
macOS Tahoe 26 comes with a big money-saving upgrade for fixing Macs – and it’s landing next week
How to play Minecraft for free
Microsoft issues new hybrid policy that will see global workers in office 3 days per week
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future’s experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait…
