Critical Flaw in Adobe Commerce and Magento Platforms Allows Attackers to Hijack Customer Accounts

Adobe has addressed a critical vulnerability in its Commerce and Magento Open Source platforms, known as SessionReaper (CVE-2025-54236), which allows attackers to hijack customer accounts and execute unauthenticated remote code execution under certain conditions.

The vulnerability is an improper input validation flaw that was reported by cybersecurity firm Sansec. According to the firm, "SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024)". This means that thousands of stores have been hacked by exploiting similar vulnerabilities in the past, often within hours of the flaw being published.

An attacker can exploit this vulnerability to take over customer accounts using Adobe Commerce's REST API. The advisory from Adobe reads: "A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API."

Impact and Recommendation

The SessionReaper flaw impacts Adobe Commerce versions 3.x, 4.x, and 5.x, as well as Magento Open Source platforms. According to Sansec, the vulnerability enables Remote Code Execution (RCE) via Magento's REST API using a malicious session and a deserialization bug.

Sansec advises all merchants, including those using Redis or database sessions, to act immediately due to multiple exploit paths for this vulnerability. The firm warns that "the specific remote code execution vector appears to require file-based session storage."

Prevention Measures

To prevent hijacking of customer accounts, Adobe Commerce and Magento Open Source platform users should take the following measures:

  • Update to the latest version of Adobe Commerce or Magento Open Source platforms.
  • Implement proper input validation for user input.
  • Disable file-based session storage.
  • Regularly monitor and analyze logs for suspicious activity.

Conclusion

Adobe has addressed a critical vulnerability in its Commerce and Magento Open Source platforms, which allows attackers to hijack customer accounts. Merchants are advised to act immediately to prevent exploitation of this vulnerability. By following the recommended prevention measures, users can reduce the risk of their customer accounts being compromised.

For more information on this vulnerability and how to protect your business, visit the Adobe Security advisory page.