Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of " the most severe" flaws in the history of the product.
Today, the software company released a patch for the security issue that could be exploited without authentication to take control of customer accounts through the Commerce REST API.
According to e-commerce security company Sansec, Adobe notified "selected Commerce customers" on September 4th of an upcoming emergency fix planned for September 9.
"Adobe is planning to release a security update for Adobe Commerce and Magento Open Source on Tuesday, September 9, 2025," reads the notice.
"This update resolves a critical vulnerability. Successful exploitation could lead to security feature bypass."
Customers using Adobe Commerce on Cloud are already protected by a web application firewall (WAF) rule deployed by Adobe as an intermediate measure.
Adobe's notice to Magento customers
Source: Sansec
Adobe says in the security bulletin that it is not aware of any exploitation activity in the wild. Sansec's advisory also notes that the researchers have not seen any active exploitation of SessionReaper.
However, Sansec says that an initial hotfix for CVE-2025-54236 was leaked last week, which may give threat actors a potential head start on creating an exploit.
... continue reading