Adobe patches 'most severe' flaw in Magento eCommerce platform

News
By published

The company found a bug that could lead to full account takeover

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • Adobe patched a critical Web API flaw in Commerce and Magento
  • The bug, dubbed SessionReaper, scored 9.1/10 and affects multiple versions
  • Researchers warn the leaked hotfix may aid attackers

Adobe has patched a critical vulnerability in its Commerce and Magento Open Source platforms that could lead to full account takeover.

In a recently published security advisory, Adobe said it fixed an Improper Input Validation (CWE-20) vulnerability affecting the ServiceInputProcessor component of the Web API.

In other words, it allows malicious, improperly validated API requests to bypass security controls. Researchers dubbed it SessionReaper.

Most severe flaw ever

The bug is now tracked as CVE-2025-54236 and has been given a severity score of 9.1/10 (critical) on the National Vulnerability Database (NVD).

Vulnerable versions include 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier, the NVD page says.

“A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.” Adobe Commerce on Cloud customers are protected by a web application firewall (WAF), the company confirmed.

The company says it is not aware of any exploits in the wild but, according to BleepingComputer, describes it as “the most severe” flaw in the history of the platform.

A patch was released on September 9, and customers are urged to apply it without delay. "Please apply the hotfix as soon as possible. If you fail to do so, you will be vulnerable to this security issue, and Adobe will have limited means to help remediate,” Adobe warned.

While there is no evidence of in-the-wild abuse, security outfit Sansec said the initial hotfix for SessionReaper was leaked a few days ago, which could allow malicious actors to reverse-engineer it and find additional holes to exploit, BleepingComputer reported.

At the same time, some researchers believe deploying the fix could break some external code breaking, since it disables certain Magento functionalities.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.