The National Computer Emergency Response Team (NCERT) has issued a critical security warning for users of Adobe Commerce and Magento Open Source, revealing a severe vulnerability that allows hackers to hijack customer accounts without login credentials. The flaw, known as “SessionReaper” (CVE-2025-54236), carries a 9.1 (Critical) severity rating and poses a major risk to online businesses and e-commerce operations.
Adobe Commerce and Magento Open Source are among the most widely used e-commerce platforms globally, powering thousands of online stores. This newly discovered exploit could lead to unauthorized account access, remote code execution, and theft of sensitive data if not promptly patched.
According to NCERT, the SessionReaper flaw stems from improper input validation in the Commerce REST API, allowing attackers to manipulate session data remotely. It affects multiple versions, including Adobe Commerce and Magento Open Source up to version 2.4.9-alpha2.
“Attackers can hijack active sessions and potentially execute arbitrary code when file-based session storage is enabled, NCERT warned. Administrators must apply emergency patches or upgrade to the latest release immediately.”
Cybersecurity analysts have cautioned that due to the low attack complexity and no authentication requirements, this exploit could trigger mass account takeovers, transaction tampering, and service disruptions across e-commerce sites.
NCERT has urged all organizations using affected platforms to:
Cyber experts emphasize that timely patching and continuous monitoring are vital to safeguard businesses from large-scale exploitation through the SessionReaper vulnerability.