CVE-2025-54236

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions prior to 2.4.10 Magento Open Source (affected versions not specified)

Description An improper input validation issue, known as SessionReaper, exists in the REST API, specifically within the ServiceInputProcessor and the Custom Attributes Serializable module. This flaw allows unauthenticated attackers to bypass security features and achieve session takeover by reusing invalidated session tokens. In environments using file-based session storage, attackers can inject malicious serialized payloads, leading to remote code execution (RCE) with web server permissions. This can result in full system compromise, including root access and the deployment of web shells for persistent access. Real-world exploitation has been observed, with reports of over 250 attacks in a 24-hour period and more than 200 e-commerce sites fully compromised across regions including Canada, Japan, and Finland. Affected API endpoints include '/rest/V1/', '/graphql', and '/rest/V1/guest-carts/'.

Recommendations Update to version 2.4.10 or apply the official security patch (e.g., hotfix VULN-32437-2-4-X) immediately. Disable file-based session storage to limit the risk of remote code execution. Implement Web Application Firewall (WAF) rules to block exploitation attempts. Revoke existing sessions and rotate tokens after patching. Monitor for unusual activity, such as unexpected PHP files or spikes in POST requests to REST API endpoints.