CVE-2025-54236

Published Sep 9, 2025

Last updated 11 hours ago

CVSS critical 9.1

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-54236, also known as SessionReaper, is a vulnerability affecting Adobe Commerce and Magento installations. It stems from improper input validation in the Magento Web API. Successful exploitation could lead to security feature bypass, potentially allowing attackers to take over customer accounts, steal data, and place fraudulent orders. The vulnerability allows unauthenticated remote code execution. The attack combines a malicious session with a nested deserialization bug in Magento's REST API. Exploitation appears to require file-based session storage. Adobe has released an emergency patch to address this critical flaw.

Description
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
Source
psirt@adobe.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

psirt@adobe.com
CWE-20

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

28

  1. Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts https://t.co/6CdcgqQK8S

    @chundefined

    10 Sept 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts https://t.co/qL4WMWXcjF https://t.co/vq1pvCYRcY

    @methodandmetric

    10 Sept 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 URGENT: Adobe releases emergency patch for critical "SessionReaper" bug (CVE-2025-54236) affecting ALL Magento/Commerce stores. Unauthenticated attackers can bypass security & take over accounts. CVSS 9.1/10. Patch NOW or use WAF protection. https://t.co/nPImaGROvL https

    @cyberkendra

    9 Sept 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Adobe patches critical SessionReaper flaw in Magento eCommerce platform Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magen… https://t.co/3UQwvpYHPO https://t.co/lx1evE2UgH

    @DConsultinguk

    9 Sept 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Adobe released an emergency patch for CVE-2025-54236, a critical Magento vulnerability enabling automated attacks against e-commerce stores. Automated exploitation is highly anticipated. Follow the story at https://t.co/xJw3yFxC7b #Vulnerability #Magento

    @CyberDigests

    9 Sept 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Adobe has addressed a critical vulnerability, CVE-2025-54236, in its Magento eCommerce platforms, known as SessionReaper. This flaw is considered one of the most severe in the product's history. Learn how to protect your store and read more here: https://t.co/4na3eiU6Lv

    @trubetech

    9 Sept 2025

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🔥 Emergency Alert: @Adobe hotfix APSB25-88 for SessionReaper (CVE-2025-54236) today. This nasty little bug allows unauth session hijacks and potential remote code execution. Patch now! @JetRails clients have added support during rollout. Fix: https://t.co/Eh77QmX8JP https:/

    @JetRails

    9 Sept 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-54236 Adobe Commerce Security Feature Bypass Vulnerability in Multiple Versions https://t.co/WALTLEwjBt

    @VulmonFeeds

    9 Sept 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. [CVE-2025-54236: CRITICAL] Critical Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and older versions are prone to an input validation flaw enabling security featur...#cve,CVE-2025-54236,#cybersecurity https://t.co/rD3RIYO955 https://t.c

    @CveFindCom

    9 Sept 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Adobeが通常の月例サイクルを破り、Magentoの重大脆弱性「SessionReaper」(CVE-2025-54236)に緊急対応。入力検証を回避してアカウント乗っ取りや不正注文が可能になる深刻な欠陥である。

    @yousukezan

    9 Sept 2025

    1672 Impressions

    2 Retweets

    8 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  11. Guys, the week hasn't even started SessionReaper, a critical bug in Magento & Adobe Commerce (CVE-2025-54236) https://t.co/IpcLuKwNeO https://t.co/J6Bn7lKeh3

    @cyb3rops

    9 Sept 2025

    10368 Impressions

    25 Retweets

    81 Likes

    13 Bookmarks

    5 Replies

    0 Quotes

  12. SessionReaper, a critical bug in Magento & Adobe Commerce (CVE-2025-54236) https://t.co/lASLPHEuNg

    @Dinosn

    9 Sept 2025

    1312 Impressions

    1 Retweet

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  13. 🚨🚨Adobe drops emergency patch for CVE-2025-54236, aka SessionReaper, a critical Magento flaw! Hackers can exploit WebAPI ServiceInputProcessor to hijack sessions, steal credit cards, or take over admin accounts. ZoomEye Dork👉app="Magento" 134.1k+ results are found on

    @zoomeye_team

    9 Sept 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Executive Alert: Adobe Issues Emergency Patch for SessionReaper (CVE-2025-54236) By CyberDudeBivash View the Patch Details on - https://t.co/WQLHL4UFKu https://t.co/hNYYtueB3a

    @Iambivash007

    9 Sept 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Adobeが通常のパッチ日程を破り、Magentoにおける過去最悪級の脆弱性「SessionReaper」への緊急修正を公開する。公開から数時間で数千のECサイトが攻撃を受ける恐れがあるという。 この脆弱性(CVE-2025-54236)はMag

    @yousukezan

    9 Sept 2025

    5036 Impressions

    6 Retweets

    29 Likes

    13 Bookmarks

    0 Replies

    1 Quote

  16. ⚠️ Magento exploit: SessionReaper ⚠️ Attackers can hijack active sessions. 🚨 @Adobe will release an emergency fix (CVE-2025-54236) within 24 hours. Automated abuse expected. Merchants should act now. 🔗 https://t.co/TvCoMykiV4 🔗 https://t.co/YXrsk0TIdh #Magen

    @JetRails

    8 Sept 2025

    103 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. SessionReaper (CVE-2025-54236) – one of the most critical #Magento / #AdobeCommerce vulnerabilities. Patch drops Sept 9, 14:00 UTC. Details 👉 https://t.co/qqUWtiaBoV

    @mageshishya

    8 Sept 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 Urgent warning for all #Magento2 stores! A critical security vulnerability (#SessionReaper - CVE-2025-54236) requires IMMEDIATE patching. Automated attacks are expected. Vandelay Industries can help you protect your store tomorrow!👉https://t.co/kAVYQdiis0 #eCommerce #Secu

    @Art_Vandelay_ny

    8 Sept 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.