The National Computer Emergency Response Team (NCERT) has issued a critical security warning for users of Adobe Commerce and Magento Open Source, revealing a severe vulnerability that allows hackers to hijack customer accounts without login credentials. The flaw, known as “SessionReaper” (CVE-2025-54236), carries a 9.1 (Critical) severity rating and poses a major risk to online businesses and e-commerce operations.
Adobe Commerce and Magento Open Source are among the most widely used e-commerce platforms globally, powering thousands of online stores. This newly discovered exploit could lead to unauthorized account access, remote code execution, and theft of sensitive data if not promptly patched.
According to NCERT, the SessionReaper flaw stems from improper input validation in the Commerce REST API, allowing attackers to manipulate session data remotely. It affects multiple versions, including Adobe Commerce and Magento Open Source up to version 2.4.9-alpha2.
“Attackers can hijack active sessions and potentially execute arbitrary code when file-based session storage is enabled, NCERT warned. Administrators must apply emergency patches or upgrade to the latest release immediately.”
Expert Concerns
Cybersecurity analysts have cautioned that due to the low attack complexity and no authentication requirements, this exploit could trigger mass account takeovers, transaction tampering, and service disruptions across e-commerce sites.
Recommended Actions
NCERT has urged all organizations using affected platforms to:
- Apply the emergency patch (VULN-32437-2-4-X) or upgrade to version APSB25-88.
- Restrict REST API access to trusted networks.
- Implement WAF rules to block suspicious requests.
- Rotate admin credentials and monitor logs for unusual activity.
Cyber experts emphasize that timely patching and continuous monitoring are vital to safeguard businesses from large-scale exploitation through the SessionReaper vulnerability.