SessionReaper: Account Takeover and Unauthenticated RCE in Magento and Adobe Commerce

CVE-2025-54236 (CVSS 9.1) is an account-takeover flaw that may result in unauthenticated remote code execution (RCE) under certain conditions. Dubbed “SessionReaper”, CVE-2025-54236 affects Adobe Commerce, Adobe Commerce B2B, and Magento Open Source web applications. The root cause is Improper Input Validation [CWE-20] in the REST API. Adobe’s official advisory describes the issue as a security feature bypass although no further explanation is provided.

The exploit chain for CVE-2025-54236 starts with a nested deserialization vulnerability [CWE-502] and results in a malicious session for a customer account. Security researchers from Sansec claim that Remote Code Execution (RCE) is possible when file-based session storage is used and that other attack chains may also exist, such as RCE via Redis or database session storage. Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236 via the Hackerone platform.

A full technical description, PoC, or full exploit kits are not yet publicly available. However, France’s CERT-FR has issued a public advisory for the vulnerability. Greenbone’s OPENVAS ENTERPRISE FEED already includes a remote banner check to identify vulnerable systems and verify patch status.

Risk Assessment for CVE-2025-54236 (aka “SessionReaper”)

Magento Open Source (released in 2008) and its commercial counterpart Adobe Commerce are widely used e-commerce platforms. As of 2024, they power in the order of 200-250,000 live/active stores, putting Magento among the leading global e-commerce platforms. This wide usage makes it an attractive target for attackers.

Previous vulnerabilities in Magento have been leveraged in mass exploitation attacks within hours [1][2][3][4] of their disclosure. In this case, Adobe’s patch was accidentally leaked publicly, giving attackers a head start on developing exploit code. If exploited, attackers could install malware [T1105] in an attempt to covertly maintain persistent access [TA0003] to the victim’s infrastructure. This could lead to future attacks, such as stealing payment card information to make fraudulent transactions [T1657], stealing other sensitive information [TA0010], conducting phishing [T1566] attacks against customers of the website, or deploying ransomware against the victim [T1486].

Mitigating CVE-2025-54236 (aka “SessionReaper”)

CVE-2025-54236 affects Adobe Commerce, Adobe Commerce B2B, and Magento Open Source across multiple versions, as well as the Custom Attributes Serializable module on all platforms and deployment methods [1]. However, Adobe’s own knowledge base seems to provide contradictory information, stating that the Custom Attributes Serializable module versions 0.1.0 – 0.4.0 are affected, but also advises upgrading the module to version 0.4.0 or higher.

Users are advised to install the hotfix patch provided by Adobe or update to the latest version immediately to protect their online business operations and customers. Users should also conduct a thorough assessment to determine whether their instance has already been compromised and if found, remove the infection. Adobe has also released a developer guide to help users adjust to any necessary changes in the web application’s REST API. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable systems.

Summary

CVE-2025-54236 poses a critical risk to Magento and Adobe Commerce users. For attackers, the flaw enables account takeover and potentially unauthenticated RCE on a victim’s infrastructure. Defenders should identify vulnerable systems and patch them immediately. Greenbone’s OPENVAS ENTERPRISE FEED can help to identify vulnerable web applications and verify remediation status. IT security teams should also audit their systems to detect potential breaches and remove infections if any indicators of compromise (IoC) are found.