TL;DR

A critical improper-input-validation vulnerability (CVE-2025-54236, a.k.a. SessionReaper) in Adobe Commerce / Magento Open Source lets attackers take over customer sessions via the Commerce REST API — Adobe released an out-of-band patch on Sep 9, 2025 and urges immediate remediation. CVSS: 9.1 (Critical). Adobe Help Center

What happened

Adobe published an emergency security bulletin (APSB25-88) after a researcher disclosed a severe flaw in the Commerce REST API that can be abused to hijack customer accounts and — under certain conditions — could lead to unauthenticated remote code execution. Adobe says the issue impacts several Adobe Commerce and Magento Open Source releases and pushed an out-of-band update on September 9, 2025.

Technical summary

  • CVE: CVE-2025-54236 (aka SessionReaper).

  • Type: Improper Input Validation (CWE-20).

  • CVSS v3.1: 9.1 (Critical) — network exploitable, no user interaction required.

  • Attack vector: Commerce REST API — crafted requests can bypass session protections and take over active customer sessions; some researchers demonstrated conditions enabling unauthenticated RCE.

  • Affected: Adobe Commerce (multiple 2.4.x patch builds and earlier) and Magento Open Source builds (see Adobe advisory / NVD for exact versions). NVDAdobe Help Center

Severity and context

Multiple security vendors and researchers describe SessionReaper as among the most severe Magento/Adobe Commerce flaws in recent memory because of (a) the high CVSS score, (b) the ability to hijack customer sessions without user interaction, and (c) evidence that proof-of-concept details and an accidental patch leak increased exploitation risk. Adobe currently states it is not aware of active exploitation in the wild, but the combination of high impact and public analysis raises urgency to patch.

What Adobe and Vendors Say

Adobe’s bulletin APSB25-88 provides the security update and guidance and notes remediation steps for Commerce Cloud / Managed Service customers; third-party trackers (NVD, Tenable) list affected versions and score the flaw as severe. Some security researchers reported they could simulate the attack and warned a leaked patch could accelerate exploit development.

Immediate actions for site owners (practical checklist)

  1. Apply Adobe’s out-of-band security update immediately (follow APSB25-88 guidance). This is the single most important step.

  2. If you run Commerce Cloud / Managed services, contact Adobe/your customer success engineer — Adobe said some cloud customers already have WAF protections applied.

  3. Invalidate active sessions and rotate session keys after patching (force logout all customers/admins). — prevents already-stolen session tokens from remaining valid. (Best practice; recommended following session-takeover incidents.)

  4. Harden your WAF / edge rules: deploy application rules to block suspicious Commerce REST API payloads until patch applied. (Adobe and some vendors have issued WAF signatures.)

  5. Monitor logs and indicators: abnormal session creations, sudden spikes in session reuse, unusual REST API calls, and failed/successful login anomalies. Keep forensic copies of logs for investigation.

  6. Rotate credentials and API keys used by integrations that touch the REST API if compromise is suspected.

  7. Notify stakeholders & customers if you detect confirmed account compromise; follow your incident response and breach notification policy.

  8. Test after patching in a staging environment before rolling into production; validate session invalidation and business flows.

(Adobe’s bulletin contains the authoritative patch and product-version guidance — apply it first.)

Risk assessment for businesses

  • Customer impact: High — account takeover allows fraud, order manipulation, disclosure of personal data, and potential downstream financial loss.

  • Operational impact: High — outage risk during emergency patching, session invalidation and potential customer support surge.

  • Exploitability: High — no user interaction required and public analysis/proof-of-concepts exist.

Editor’s note (Cybersecurity88)

If you operate an Adobe Commerce / Magento instance — treat this as an emergency: patch now, invalidate sessions, and verify your monitoring. If you’d like, Cybersecurity88 can produce a one-page incident playbook you can use to coordinate patching and customer communications — reply and we’ll prepare it.