A newly disclosed flaw in Adobe Commerce and Magento Open Source, tracked as CVE-2025-54236, exposes online stores to the risk of unauthenticated account takeover. The bug resides in the Commerce REST API and allows attackers to hijack active customer sessions without requiring credentials or user interaction.
Adobe rated the flaw critical (CVSS 9.1) and broke its regular patch cycle to issue an emergency hotfix, a clear signal of the potential for widespread exploitation. While there are currently no confirmed reports of in-the-wild attacks, public details of the patch and independent researcher write-ups significantly raise the likelihood of automated exploitation in the near term.
Key Details
- Severity: Critical (CVSS 9.1)
- Type: Security feature bypass → session takeover
- Affected: Adobe Commerce and Magento Open Source versions 2.4.4 through 2.4.7, 2.4.8-p2, and 2.4.9-alpha2
What Makes This Vulnerability Dangerous
The issue stems from improper input validation (CWE-20) within the Commerce REST API. By carefully crafting requests, an attacker can bypass the logic that normally protects customer session state. Because the flaw requires no authentication and no user interaction, attackers can target vulnerable sites directly from the internet.
The most immediate impact is account takeover. Compromised sessions could allow access to order history, addresses, and personal information, as well as the ability to place or modify orders.
In environments where accounts are linked to external systems, such as ERPs, CRMs, or payment gateways, the risk extends beyond the commerce platform itself.
Threat Landscape
Security researchers have already nicknamed the bug “SessionReaper” and pointed out that details from the patch can accelerate exploit development. Media outlets have stressed the risk of large-scale abuse through automated probing of internet-facing Magento instances.
Even without confirmed exploitation, the combination of high impact, low complexity, and widespread exposure places this vulnerability in the high-likelihood, high-impact category.
Indicators and Attack Patterns
Because this is a logic flaw rather than a malware dropper, defenders should focus on behavioral signals rather than static indicators. Here are some warning signs to look out for:
- Spikes in REST API traffic, especially toward customer authentication or session endpoints.
- Rapid sequences of anonymous API requests followed by account actions such as password resets, address changes, or unauthorized orders.
- Multiple accounts accessed from the same IP address or user agent in a short timeframe.
Remediation
The most effective step is simple: apply Adobe’s hotfix immediately. It covers all supported branches of Adobe Commerce and Magento Open Source and should be deployed to production as soon as possible.
After patching, invalidate all active sessions to prevent hijacked tokens from being reused. Integration tokens and API keys should also be rotated to close any lingering exposure.
Web application firewalls can provide additional protection while patches are rolled out. Rate limiting anonymous requests to REST endpoints, enforcing stricter validation rules, and whitelisting only known integration partners can reduce the attack surface.
Detection Guidance
To catch potential exploitation, monitor logs from both your application and any web application firewall in front of it.
- Pay close attention to requests to /rest/ endpoints, especially those involving session or customer account functions.
- Set up alerts for bursts of API calls from a single IP or ASN that deviate from your normal integration partners.
- Correlate customer account changes (email updates, password resets, address edits) with preceding API activity, particularly when no corresponding interactive login was observed.
- Compare user agent strings: a cluster of account actions from headless clients or generic libraries is suspicious.
Stay Safe, Stay Secure
The OP Innovate Research Team
