""A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API," Adobe said in an advisory issued today. The issue impacts the following products and versions - Adobe Commerce (all deployment methods): 2.4.9-alpha2 and earlier 2.4.8-p2 and earlier 2.4.7-p7 and earlier 2.4.6-p12 and earlier 2.4.5-p14 and earlier Adobe Commerce B2B: 1.5.3-alpha2 and earlier 1.5.2-p2 and earlier 1.4.2-p7 and earlier"
"'SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),' e-commerce security company Sansec said. The Netherlands-based firm said it successfully reproduced one possible way to exploit CVE-2025-54236, but noted that there are other possible avenues to weaponize the vulnerability. 'The vulnerability follows a familiar pattern from last year's CosmicSting attack,' it added. 'The attack combines a malicious session with a nested deserialization bug in Magento"
An improper input validation vulnerability in Adobe Commerce and Magento Open Source (CVE-2025-54236, SessionReaper) enables attackers to take over customer accounts via the Commerce REST API. The flaw has a CVSS score of 9.1 and impacts numerous Adobe Commerce, Adobe Commerce B2B, and Magento Open Source versions, plus the Custom Attributes Serializable module. Adobe released a hotfix and deployed web application firewall rules to protect Cloud-hosted environments. Sansec reproduced one exploitation method, warned of alternative weaponization paths, and compared the flaw's severity to several historic Magento incidents involving session and deserialization attack patterns.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]