CVE-2025-54236

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.4-p15 through 2.4.9-alpha2

Description Adobe Commerce and Magento are affected by an Improper Input Validation vulnerability. A successful attacker can exploit this flaw to achieve session takeover, potentially leading to high confidentiality and integrity impact. Exploitation does not require user interaction. Over 250 attacks have been reported, with approximately 62% of stores remaining unpatched. The vulnerability allows for unauthenticated remote code execution (RCE) via the REST API, potentially enabling attackers to deploy webshells and hijack customer accounts. The vulnerability, dubbed “SessionReaper” (CVE-2025-54236), is considered one of the most severe flaws in the product’s history. The vulnerability stems from improper input validation within the Custom Attributes Serializable module. The REST API’s ServiceInputProcessor is a key component in the exploitation process.

Recommendations Apply the emergency patch released by Adobe (VULN-32437-2-4-X). Implement Web Application Firewall (WAF) rules to mitigate the risk. Revoke existing sessions and rotate tokens as a precautionary measure. Disable file-based session storage if feasible. Monitor for unusual activity, including unexpected PHP files, strange responses from phpinfo(), spikes in POST requests to REST API endpoints, and new user sessions created without action.