The National Computer Emergency Response Team (NCERT) has issued an advisory warning organizations about a critical security flaw in Adobe Commerce and Magento Open Source platforms.
The vulnerability, tracked as CVE-2025-54236 and nicknamed SessionReaper, carries a severity rating of 9.1 (Critical). It allows attackers to hijack customer sessions and potentially take over accounts without authentication. Under certain conditions, it can also lead to remote code execution when file-based session storage is enabled.
According to NCERT, the flaw arises from improper input validation in the Commerce REST API, which lets attackers manipulate session data remotely. The issue affects several deployment methods of Adobe Commerce, Magento Open Source, B2B extensions, and the Custom Attributes Serializable Module. Attackers could exploit the flaw to gain unauthorized access, intercept traffic, execute arbitrary code, or escalate privileges within affected systems.
Security experts have warned that the SessionReaper exploit poses a serious risk to e-commerce operations due to its low attack complexity and lack of authentication requirements. Successful exploitation could lead to widespread account takeovers, service disruptions, and potential financial losses from compromised transactions and stolen data. The vulnerability affects Adobe Commerce versions up to 2.4.9-alpha2 and Magento Open Source up to 2.4.9-alpha2, among others.
The advisory urges administrators to apply the emergency hotfix (VULN-32437-2-4-X-patch) or upgrade to the latest release (APSB25-88) immediately. For organizations unable to patch right away, NCERT recommends restricting REST API access to trusted networks, using web application firewall (WAF) rules to block malicious traffic, and monitoring for unusual session or login activity.
NCERT also advised organizations using Adobe Commerce or Magento Open Source to rotate administrator credentials, enforce least-privilege access, and strengthen intrusion detection and prevention systems. Timely patching, log monitoring, and continuous anomaly detection are crucial to prevent large-scale exploitation through the SessionReaper vulnerability.