Islamabad – National Computer Emergency Response Team (NCERT) has issued an urgent security advisory for organizations running Adobe Commerce and Magento Open Source platforms, warning of a critical vulnerability that threatens the security of eCommerce systems. Identified as CVE-2025-54236 and nicknamed SessionReaper, the flaw carries a CVSS score of 9.1, placing it in the critical category on the Common Vulnerability Scoring System. This vulnerability stems from improper input validation in the Commerce REST API, leaving affected systems exposed to potential large-scale attacks, including session hijacking, customer account takeovers, and in some instances, remote code execution.
According to NCERT, the vulnerability impacts multiple deployment methods of Adobe Commerce, Magento Open Source, B2B extensions, and the Custom Attributes Serializable Module. If exploited, attackers could compromise customer accounts, steal sensitive data, hijack transactions, escalate privileges through stolen tokens or API keys, and disrupt operations at scale. In configurations where file-based session storage is enabled, the risk extends to remote code execution, significantly heightening the threat to critical infrastructure and online businesses relying on these platforms.
To mitigate the risks, NCERT is urging organizations to act swiftly by applying the emergency hotfix VULN-32437-2-4-X-patch or upgrading to Adobe’s latest release (APSB25-88). Additional measures recommended include rotating administrator and API credentials, restricting REST API access to trusted networks, and implementing strict Web Application Firewall (WAF), Intrusion Detection System (IDS), or Intrusion Prevention System (IPS) rules. NCERT also advises close monitoring of system logs for unusual activities such as abnormal login attempts or unexpected privilege escalations that could indicate exploitation attempts.
Security professionals emphasize that the flaw’s low attack complexity and lack of authentication requirements make it attractive to threat actors. Without timely remediation, organizations could face coordinated exploitation campaigns targeting online stores and payment systems. With millions of daily transactions processed through eCommerce platforms, the potential scale of compromise underscores the urgency of NCERT’s warning. The advisory highlights the importance of adopting layered security strategies, proactive monitoring, and rapid patch management to safeguard digital commerce environments from emerging threats like SessionReaper.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
