Fear the 'SessionReaper': Adobe Commerce Flaw Under Attack
CVE-2025-54236 is a critical flaw in Adobe Commerce (formerly Magento) that allows attackers to remotely take over sessions on the e-commerce platform.
Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.
Adobe · Commerce and Magento
Known ransomware use: Unknown
Follow the source advisory and validate exposure in your environment.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Recent reporting that mentions CVE-2025-54236.
CVE-2025-54236 is a critical flaw in Adobe Commerce (formerly Magento) that allows attackers to remotely take over sessions on the e-commerce platform.
Hackers are actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (formerly Magento) platforms, with hundreds of attempts recorded. [...]
Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts
Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of " the most severe" flaws in the history of the product. [...]