Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts

The Hacker News by The Hacker News
September 10, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Sep 10, 2025Ravie LakshmananVulnerability / Software Security

Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts.

The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it’s not aware of any exploits in the wild.

“A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API,” Adobe said in an advisory issued today.

The issue impacts the following products and versions –

Audit and Beyond

Adobe Commerce (all deployment methods):

  • 2.4.9-alpha2 and earlier
  • 2.4.8-p2 and earlier
  • 2.4.7-p7 and earlier
  • 2.4.6-p12 and earlier
  • 2.4.5-p14 and earlier
  • 2.4.4-p15 and earlier

Adobe Commerce B2B:

  • 1.5.3-alpha2 and earlier
  • 1.5.2-p2 and earlier
  • 1.4.2-p7 and earlier
  • 1.3.4-p14 and earlier
  • 1.3.3-p15 and earlier

Magento Open Source:

  • 2.4.9-alpha2 and earlier
  • 2.4.8-p2 and earlier
  • 2.4.7-p7 and earlier
  • 2.4.6-p12 and earlier
  • 2.4.5-p14 and earlier

Custom Attributes Serializable module:

Adobe, in addition to releasing a hotfix for the vulnerability, said it has deployed web application firewall (WAF) rules to protect environments against exploitation attempts that may target merchants using Adobe Commerce on Cloud infrastructure.

CIS Build Kits

“SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),” e-commerce security company Sansec said.

The Netherlands-based firm said it successfully reproduced one possible way to exploit CVE-2025-54236, but noted that there are other possible avenues to weaponize the vulnerability.

“The vulnerability follows a familiar pattern from last year’s CosmicSting attack,” it added. “The attack combines a malicious session with a nested deserialization bug in Magento’s REST API.”

“The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability.”

Adobe has also shipped fixes to contain a critical path traversal vulnerability in ColdFusion (CVE-2025-54261, CVSS score: 9.0) that could lead to an arbitrary file system write. It impacts ColdFusion 2021 (Update 21 and earlier), 2023 (Update 15 and earlier), and 2025 (Update 3 and earlier) on all platforms.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Record share of U.S. businesses divert China investments. Top choice: Southeast Asia

Record share of U.S. businesses divert China investments. Top choice: Southeast Asia

Recommended.

Stocks making the biggest moves midday: Apple, Amazon, Monolithic Power, Reddit and more

Stocks making the biggest moves midday: Apple, Amazon, Monolithic Power, Reddit and more

August 1, 2025
Ray Dalio says to fear the bond market as deficit becomes critical

Ray Dalio says to fear the bond market as deficit becomes critical

May 22, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio