The National Computer Emergency Response Team (NCERT) has issued a critical advisory for businesses running Adobe Commerce and Magento Open Source. The warning highlights a severe security flaw, tracked as CVE-2025-54236 and nicknamed SessionReaper, that could leave eCommerce platforms exposed to large-scale attacks.
Rated 9.1 on the CVSS scale, the vulnerability stems from improper input validation in the Commerce REST API. The CVSS score (Common Vulnerability Scoring System) measures the severity of security flaws on a scale of 0 to 10, where 4-6.9 is medium, 7-8.9 is high, and 9-10 is critical. With a 9.1 rating, this flaw is considered extremely severe, giving attackers the ability to hijack customer sessions, take over accounts, and, in some cases, execute remote code on affected servers.
NCERT confirmed that the bug impacts multiple deployment methods of Adobe Commerce, Magento Open Source, B2B extensions, and the Custom Attributes Serializable Module. The risks are serious: customer data theft, hijacked transactions, and, in some cases, full system compromise.
If exploited, attackers could seize control of customer accounts, steal sensitive information, escalate privileges through stolen tokens or API keys, and trigger widespread service disruption. In setups with file-based session storage enabled, remote code execution (RCE) becomes possible, amplifying the threat further.
To counter these risks, NCERT is urging organizations to apply the emergency hotfix VULN-32437-2-4-X-patch or upgrade immediately to Adobe’s latest release (APSB25-88). The advisory also recommends rotating administrator and API credentials, limiting REST API exposure to trusted networks, enforcing strict WAF, IDS, or IPS rules, and closely monitoring logs for suspicious activity such as abnormal logins or privilege escalations.
Security experts warn that large-scale exploitation campaigns could surface quickly, as the flaw requires no authentication and involves low attack complexity. “Timely patching is essential to prevent mass compromise of eCommerce platforms,” NCERT said, while urging businesses to adopt defense-in-depth strategies and strengthen real-time monitoring.
With eCommerce operations handling millions of daily transactions, NCERT’s warning underscores the urgent need for quick action before attackers weaponize SessionReaper on a global scale.