Flaw dubbed as ‘SessionReaper’: Critical vulnerability in Adobe Commerce & Magento identified
By Tahir Amin
Copyright brecorder
ISLAMABAD: The National Computer Emergency Response Team (NCERT) has issued a high-priority advisory warning to businesses of a critical vulnerability in Adobe Commerce and Magento Open Source platforms, dubbed SessionReaper.
The flaw, tracked as CVE-2025-54236, has been rated at CVSS 9.1 (Critical) and arises from improper input validation in the Commerce REST API. Successful exploitation could allow attackers to hijack customer sessions, gain unauthorized access to accounts, and, under certain conditions, execute remote code on affected servers.
According to NCERT, the vulnerability impacts multiple deployment methods of Adobe Commerce, Magento Open Source, B2B extensions, and the Custom Attributes Serializable Module. It poses a high risk of customer data theft, hijacked transactions, and potential full system compromise.
National CERT issues urgent data protection alert
If exploited, attackers could achieve: Account takeover and theft of sensitive customer information, remote code execution (RCE) in environments with file-based session storage enabled, privilege escalation through stolen tokens or API keys, and service disruption, potentially leading to widespread downtime of eCommerce operations.
NCERT has urged organizations to apply emergency hotfix VULN-32437-2-4-X-patch or upgrade to the latest Adobe release (APSB25-88) without delay. It also recommended rotating administrator and API credentials immediately, restricting REST API exposure to trusted networks, enforcing strict WAF/IDS/IPS rules to detect and block malicious traffic, the monitoring logs for abnormal login attempts, session manipulation, and privilege escalations.
The advisory warned that large-scale exploitation campaigns could emerge quickly, given the low complexity of attacks and the absence of authentication requirements.
“Timely patching is essential to prevent mass compromise of eCommerce platforms,” NCERT said, urging businesses to strengthen monitoring and apply defense-in-depth measures.
Copyright Business Recorder, 2025
