Adobe Patches Severe SessionReaper Flaw in Commerce & Magento
Adobe has addressed a severe security flaw in its Commerce and Magento Open Source platforms. The vulnerability, dubbed SocialReaper, allows attackers to hijack customer accounts. Adobe released patches on September 9 and implemented additional security measures.
The SocialReaper flaw, tracked as CVE-2025-54236, is an improper input validation issue with a CVSS score of 9.1. It enables remote code execution via Magento's REST API, using a malicious social and a deserialization bug. The researcher blaklis discovered the vulnerability and reported it to Adobe.
Adobe has patched the issue in Adobe Commerce and Magento, and for Adobe Commerce on Cloud, they've activated a Web Application Firewall (WAF) rule set as a temporary fix. However, security firm Sansec warns that merchants should act immediately due to multiple exploit paths for this vulnerability. Despite the severity, Adobe assures that no active attacks exploiting this flaw have been detected in the wild.
The SocialReaper vulnerability affects various versions of Adobe Commerce and Magento Open Source, as well as the Custom Attributes Serializable module. Attackers can exploit this flaw to take over customer accounts through the Commerce REST API. Merchants are urged to apply the available patches and additional security measures promptly to protect their customers' accounts.
