CVE-2025-54236

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.4 through 2.4.9-alpha2

Description Adobe Commerce and Magento are affected by a critical Improper Input Validation vulnerability. A successful attacker can exploit this flaw to achieve session takeover, potentially leading to high confidentiality and integrity impact. Exploitation does not require user interaction. Over 250 attacks have been observed targeting systems vulnerable to this flaw, with approximately 62% of installations remaining unpatched. Attackers have been observed deploying webshells and exploiting the vulnerability for remote code execution. The vulnerability, dubbed “SessionReaper” (CVE-2025-54236), impacts the REST API and allows for unauthenticated access. The ServiceInputProcessor is a key component involved in the exploitation.

Recommendations Apply the emergency patch released by Adobe for versions 2.4.4 through 2.4.9-alpha2. Implement Web Application Firewall (WAF) rules to mitigate exploitation attempts. Revoke existing sessions and rotate session tokens. Monitor for unusual activity, including unexpected PHP files, strange responses from phpinfo(), and spikes in POST requests to REST API endpoints. Disable file-based session storage if feasible.