MUST READ

Critical flaw SessionReaper in Commerce and Magento platforms lets attackers hijack customer accounts

 | 

Google Pixel 10 adds C2PA to camera and Photos to spot AI-generated or edited images

 | 

KillSec Ransomware is Attacking Healthcare Institutions in Brazil

 | 

Microsoft Patch Tuesday security updates for September 2025 fixed two zero-day flaws

 | 

SAP September 2025 Patch Day fixed 4 critical flaws

 | 

Supply chain attack targets npm, +2 Billion weekly npm downloads exposed

 | 

LunaLock Ransomware threatens victims by feeding stolen data to AI models

 | 

Hackers breached Salesloft ’s GitHub in March, and used stole tokens in a mass attack

 | 

Canadian investment platform Wealthsimple disclosed a data breach

 | 

Venezuela’s President Maduro said his Huawei Mate X6 cannot be hacked by US cyber spies

 | 

Czech cyber agency NUKIB flags Chinese espionage risks to critical infrastructure

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 61

 | 

Security Affairs newsletter Round 540 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Qantas cuts executive bonuses by 15% after a July data breach

 | 

MeetC2 - A serverless C2 framework that leverages Google Calendar APIs as a communication channel

 | 

Critical SAP S/4HANA flaw CVE-2025-42957 under active exploitation

 | 

U.S. CISA adds Sitecore, Android, and Linux flaws to its Known Exploited Vulnerabilities catalog

 | 

SVG files used in hidden malware campaign impersonating Colombian authorities

 | 

France’s CNIL fined Google $379M and Shein $175M for breaching cookie rules

 | 

$10M reward for Russia's FSB officers accused of hacking US Critical infrastructure

 | 

Critical flaw SessionReaper in Commerce and Magento platforms lets attackers hijack customer accounts

Pierluigi Paganini September 10, 2025

Adobe fixed a critical flaw in its Commerce and Magento Open Source platforms that allows an attacker to take over customer accounts.

Adobe addressed a critical vulnerability, tracked as CVE-2025-54236 (aka SessionReaper, CVSS score of 9.1) in its Commerce and Magento Open Source platforms. The vulnerability is an improper input validation flaw.

“The bug, dubbed SessionReaper and assigned CVE-2025-54236, allows customer account takeover and unauthenticated remote code execution under certain conditions.” reported cybersecurity firm Sansec. “SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024). Each time, thousands of stores got hacked, sometimes within hours of the flaw being published.”

An attacker can exploit this vulnerability to take over customer accounts.

“A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API.” reads the advisory.

Adobe is not aware any attacks in the wild exploiting this vulnerability.

The vulnerability impacts the following products and versions:

Adobe Commerce (all deployment methods):

  • 2.4.9-alpha2 and earlier
  • 2.4.8-p2 and earlier
  • 2.4.7-p7 and earlier
  • 2.4.6-p12 and earlier
  • 2.4.5-p14 and earlier
  • 2.4.4-p15 and earlier

Adobe Commerce B2B:

  • 1.5.3-alpha2 and earlier
  • 1.5.2-p2 and earlier
  • 1.4.2-p7 and earlier
  • 1.3.4-p14 and earlier
  • 1.3.3-p15 and earlier

Magento Open Source:

  • 2.4.9-alpha2 and earlier
  • 2.4.8-p2 and earlier
  • 2.4.7-p7 and earlier
  • 2.4.6-p12 and earlier
  • 2.4.5-p14 and earlier

Custom Attributes Serializable module:

versions 0.1.0 to 0.4.0

The researcher blaklis reported the vulnerability to the software giant.

The SessionReaper flaw, similar to last year’s CosmicSting, enables RCE via Magento’s REST API using a malicious session and a deserialization bug, with risk across storage types.

“Our security team successfully reproduced one possible avenue to exploit SessionReaper, but there are likely multiple vectors. While we cannot disclose technical details that could aid attackers, the vulnerability follows a familiar pattern from last year’s CosmicSting attack. The attack combines a malicious session with a nested deserialization bug in Magento’s REST API.” continues Sansec. “The specific remote code execution vector appears to require file-based session storage.”

Sansec advises all merchants, including those using Redis or database sessions, to act immediately due to multiple exploit paths for this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Magento)

Adobe CVE-2025-54236 Hacking hacking news information security news IT Information Security Magento Pierluigi Paganini Security Affairs Security News SessionReaper

you might also like

Pierluigi Paganini September 10, 2025
Google Pixel 10 adds C2PA to camera and Photos to spot AI-generated or edited images
Read more
Pierluigi Paganini September 10, 2025
KillSec Ransomware is Attacking Healthcare Institutions in Brazil
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

Critical flaw SessionReaper in Commerce and Magento platforms lets attackers hijack customer accounts

Security / September 10, 2025

Google Pixel 10 adds C2PA to camera and Photos to spot AI-generated or edited images

Security / September 10, 2025

KillSec Ransomware is Attacking Healthcare Institutions in Brazil

Cyber Crime / September 10, 2025

Microsoft Patch Tuesday security updates for September 2025 fixed two zero-day flaws

Security / September 10, 2025

SAP September 2025 Patch Day fixed 4 critical flaws

Security / September 09, 2025