Overview

• Adobe released updates on September 9 for CVE-2025-54236, a critical Adobe Commerce and Magento Open Source flaw that enables unauthenticated account takeover via the Commerce REST API.
• The bug, dubbed SessionReaper, is an improper input validation issue with a CVSS score of 9.1 and has been compared by researchers to past high-impact Magento vulnerabilities.
• Sansec says it reproduced an exploitation path and warns the earlier hotfix leak could speed attacker development, with large-scale automated abuse considered likely.
• Adobe has deployed web application firewall rules to protect Adobe Commerce on Cloud environments and cautions that the fix may break custom integrations due to disabled internal functionality.
• File-based session storage appears most at risk, yet merchants using Redis or database sessions are urged to patch immediately; Adobe also shipped a separate ColdFusion fix for CVE-2025-54261.