Adobe has disclosed a critical bug (CVE-2025-54236) that affects the Commerce and Magento platforms. Researchers have dubbed this vulnerability SessionReaper and describe it as one of the most serious in the entire history of these products.
This week, Adobe developers have already released a patch for an issue that scored 9.1 on the CVSS scale. It is noted that the vulnerability can be exploited without authentication to take over customer accounts via the Commerce REST API.
According to experts from the cybersecurity company Sansec, Adobe notified “select Commerce customers” on September 4 about an upcoming fix, which was released on September 9.
Customers using Adobe Commerce on Cloud are already protected by a WAF rule deployed by Adobe as an interim mitigation.
So far, neither Adobe nor Sansec specialists are aware of any instances of SessionReaper being exploited in real-world attacks. However, Sansec reports that the initial hotfix for CVE-2025-54236 leaked online as early as last week, meaning attackers had more time to develop an exploit.
According to the researchers, successful exploitation of the issue depends on session data being stored in the file system (this is the default configuration used in most cases).
Administrators are strongly advised to install the available patch as soon as possible. However, experts warn that the fix disables certain internal Magento functions, which may lead to disruptions in the operation of custom and third-party code.
Sansec experts expect that CVE-2025-54236 will be used in large-scale automated attacks. They note that this vulnerability ranks among the most serious Magento vulnerabilities in the platform’s history, alongside CosmicSting, TrojanOrder, Ambionics SQLi and Shoplift.
In the past, similar issues were used for session forgery, privilege escalation, access to internal services, and code execution.