skip to content
thumbnail-inner-image

Post by :

i95Dev Marketing

Published

Categories

Read time

4 min read

A newly discovered critical vulnerability, SessionReaper (CVE-2025-54236), impacts Adobe Commerce and Magento Open Source. This flaw allows account takeover without user interaction through the Commerce REST API and has been rated 9.1/10 Critical on the National Vulnerability Database (NVD). Adobe has released a hotfix (VULN-32437-2-4-X-patch). Merchants must apply it immediately and verify patch status to avoid exposure. What happened Security researchers discovered an input-validation flaw in…

Social Share :

Table Of Contents
  1. What happened
  2. Action plan template you can use immediately
  3. Conclusion:

A newly discovered critical vulnerability, SessionReaper (CVE-2025-54236), impacts Adobe Commerce and Magento Open Source.

This flaw allows account takeover without user interaction through the Commerce REST API and has been rated 9.1/10 Critical on the National Vulnerability Database (NVD).

Adobe has released a hotfix (VULN-32437-2-4-X-patch). Merchants must apply it immediately and verify patch status to avoid exposure.

What happened

Security researchers discovered an input-validation flaw in the Commerce REST API that lets an attacker forge or manipulate session-related input and gain access to customer accounts.

Because the exploit requires no customer action, its impact is especially severe for merchants handling sensitive customer and payment data.

Identifiers & references

  • CVE: CVE-2025-54236
  • Nickname: SessionReaper
  • NVD severity: 9.1 / 10
  • Adobe Security Bulletin: APSB25-88
  • Hotfix: VULN-32437-2-4-X-patch

Who is affected

  • Adobe Commerce – 2.4.9-alpha2 and earlier (includes 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and other patch versions).
  • Adobe Commerce B2B — 1.5.3-alpha2 and earlier (and listed patch families).
  • Magento Open Source — 2.4.9-alpha2 and earlier (and listed patch families).
  • Custom Attributes Serializable module — versions 0.1.0 → 0.4.0.

If your platform version or any of the listed modules match the ranges above, you are at risk.

Immediate actions (one-page checklist)

  1. Apply Adobe’s hotfix: VULN-32437-2-4-X-patch — apply immediately to affected instances.
  2. Update module (if applicable)
  3. composers require Magento/out-of-process-custom-attributes=0.4.0 –with-dependencies
  4. Verify patch application using the Quality Patches Tool or your normal patch verification workflow.
  5. Check logs & user accounts: review authentication logs and unusual session activity (failed/successful logins, new admin/customer account creations, session anomalies).
  6. If on Adobe Commerce Cloud: confirm WAF rules are active (Adobe deployed WAF protections), but do not rely solely on the WAF, apply the hotfix anyway.
  7. If you’re on Managed Services: contact your Customer Success Engineer for guided remediation and validation.
  8. Rotate keys & credentials used by integrations that depend on user sessions or API authentication if you suspect compromise.
  9. Monitor for indicators of compromise and enable additional logging and alerting until the environment is confirmed clean.

Need help applying the patch? Contact i95Dev’s Adobe Commerce security team for immediate support.

Why Is This Urgent?

  • The vulnerability enables account takeover without user interaction, meaning attackers don’t need a phishing click or social engineering to exploit it.
  • A leaked hotfix (reported by researchers) increases the risk: attackers may reverse-engineer the patch to create exploits.
  • Customer data, stored payment instruments, order history and account trust are at stake — any compromise has immediate reputational and regulatory risk.

Verification & testing

  • Run integration + smoke tests that exercise login, session creation, and API endpoints.
  • Validate WAF rules (if present) and test that expected traffic patterns are still allowed, and malicious vectors are blocked.
  • Reproduce known attack patterns in a safe staging environment only, do not test exploit techniques on production.

Post-patch hardening recommendations

  • Enforce stronger session management and shorter session lifetimes where possible.
  • Add multi-factor authentication for admin and support access.
  • Review third-party extensions for similar input-validation weaknesses.
  • Schedule a follow-up security review and pen test after patching to ensure no lateral issues remain.

Action plan template you can use immediately

  • Run an inventory of Magento/Commerce versions & installed modules.
  • Schedule hotfix deployment to staging → test → production (apply hotfix ASAP).
  • Verify with Quality Patches Tool and run session/authentication test cases.
  • Monitor logs for anomalies 24–72 hours after deployment.
  • Communicate to customers if you detect any suspicious account activity (follow regulatory/incident response protocol if needed).

Conclusion:

If you want to secure your account, i95Dev is here to help. Our Adobe Commerce/ Magento and security specialists will:

  • Assess your site’s exposure
  • Apply and validate the hotfix
  • Audit logs for suspicious activity
  • Implement hardening and continuous monitoring

Contact us today to get immediate assistance and protect your customers and your business.

Related Blogs

Why B2B Buyers Hate Your eCommerce Experience (and What They Secretly Wish You’d Do Instead)

Read More →

The Future of B2B Bulk Ordering Workflows: Fast, Simple, Reliable

Read More →

Company Accounts & Approval Workflows: Transforming B2B Buyer Management 

Read More →

Subscribe To Our i95Dev

Join our community of finance, operations, and procurement experts and stay up to date on the latest purchasing & payments content.

Scroll to Top