Full Report
Hackers are actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (formerly Magento) platforms, with hundreds of attempts recorded. [...]
Analysis Summary
# Vulnerability: Critical SessionReaper Flaw in Adobe Magento (RCE/Session Hijacking)
## CVE Details
- CVE ID: CVE-2025-54236
- CVSS Score: Not explicitly stated, but described as **critical**.
- CWE: Improper Input Validation (Implied)
## Affected Systems
- Products: Adobe Commerce (formerly Magento)
- Versions: **2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 (and earlier)**
- Configurations: Most vulnerable when session data is stored on the file system (default configuration).
## Vulnerability Description
CVE-2025-54236, dubbed "SessionReaper," is an improper input validation vulnerability affecting the Commerce REST API. Successful exploitation allows an attacker to take over legitimate customer accounts without requiring any user interaction, potentially leading to Remote Code Execution (RCE) given deeper analysis suggesting nested deserialization is exploitable.
## Exploitation
- Status: **Exploited in the wild** (Active exploitation confirmed by Sansec starting shortly after patch release).
- Complexity: Implied **Medium/High** due to the nature of session takeover; technical analysis available suggesting deeper exploitation paths.
- Attack Vector: **Network** (via Commerce REST API).
## Impact
- Confidentiality: **High** (Account takeover).
- Integrity: **High** (Potential for data manipulation or further system compromise).
- Availability: **Medium/High** (Depending on the scope of the compromise).
## Remediation
### Patches
- Adobe released an emergency patch on September 8, 2025, addressing CVE-2025-54236.
- **Action:** Apply the latest security update provided by Adobe for the affected Commerce versions.
### Workarounds
- Apply the recommended mitigations provided by Adobe (though specific workarounds were not detailed in this summary, immediate patching is strongly advised).
## Detection
- Indicators of Compromise: Look for suspicious activity associated with the Commerce REST API, specifically probes like `phpwebshells` or `phpinfo` checks, and checks for predefined system variables.
- Detection methods and tools: Security products like Sansec Shield have been updated to detect and block these attacks.
## References
- Vendor Advisory: Adobe (Information released on September 8, 2025).
- Research/Status: Sansec bulletin regarding active exploitation.
- Technical Analysis: Searchlight Cyber analysis on nested deserialization.
- General Link: hXXps://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-sessionreaper-flaw-in-adobe-magento/