CVE-2025-54236

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.4-p15 through 2.4.9-alpha2 Magento versions 2.3.1 and earlier

Description Adobe Commerce and Magento are affected by an improper input validation issue. A successful attacker can exploit this to achieve session takeover, potentially leading to a high impact on confidentiality and integrity. Exploitation does not require user interaction. The vulnerability, dubbed SessionReaper, allows attackers to hijack customer accounts via the REST API. Automated exploitation is anticipated, and hundreds of exploitation attempts have already been recorded. The REST API’s

ServiceInputProcessor

is vulnerable due to improper input validation. This flaw could potentially lead to remote code execution.

Recommendations Apply the emergency patch released by Adobe for versions 2.4.4-p15 through 2.4.9-alpha2. For versions 2.3.1 and earlier, update to a patched version. Revoke existing sessions and rotate tokens as a precautionary measure. Consider implementing Web Application Firewall (WAF) rules for Adobe Cloud users.