Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts. The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it's not aware of any exploits in the wild. "A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API," Adobe said in an advisory issued today. The issue impacts the following products and versions – Adobe Commerce (all deployment methods): 2.4.9-alpha2 and earlier 2.4.8-p2 and earlier 2.4.7-p7 and earlier 2.4.6-p12 and earlier 2.4.5-p14 and earlier 2.4.4-p15 and earlier Adobe Commerce B2B: 1.5.3-alpha2 and earlier 1.5.2-p2 and earlier 1.4.2-p7 and earlier 1.3.4-p14 and earlier 1.3.3-p15 and earlier Magento Open Source: 2.4.9-alpha2 and earlier 2.4.8-p2 and earlier 2.4.7-p7 and earlier 2.4.6-p12 and earlier 2.4.5-p14 and earlier Custom Attributes Serializable module: Versions 0.1.0 to 0.4.0 Adobe, in addition to releasing a hotfix for the vulnerability, said it has deployed web application firewall (WAF) rules to protect environments against exploitation attempts that may target merchants using Adobe Commerce on Cloud infrastructure. "SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015),…Read More