BR100 Increased By (0.83%)
BR30 Increased By (1.05%)
KSE100 Increased By (0.52%)
KSE30 Increased By (0.52%)
BECO 6.26 Increased By ▲ 0.49 (8.49%)
BML 52.61 Decreased By ▼ -0.39 (-0.74%)
BOP 34.40 Increased By ▲ 0.41 (1.21%)
CNERGY 8.17 Increased By ▲ 0.06 (0.74%)
DCL 12.20 No Change ▼ 0.00 (0%)
FCCL 53.40 Increased By ▲ 0.57 (1.08%)
FCSC 5.18 Increased By ▲ 0.11 (2.17%)
FFL 18.06 Increased By ▲ 0.11 (0.61%)
FNEL 1.32 Increased By ▲ 0.03 (2.33%)
HUMNL 10.88 No Change ▼ 0.00 (0%)
KEL 8.10 Increased By ▲ 0.08 (1%)
KOSM 5.36 Decreased By ▼ -0.16 (-2.9%)
MLCF 87.35 Increased By ▲ 0.84 (0.97%)
NBP 187.35 Increased By ▲ 2.19 (1.18%)
PACE 10.70 Increased By ▲ 0.12 (1.13%)
PAEL 39.99 Increased By ▲ 0.57 (1.45%)
PIAHCLA 26.15 Decreased By ▼ -0.07 (-0.27%)
PIBTL 16.97 Increased By ▲ 0.30 (1.8%)
PPL 230.00 Increased By ▲ 1.82 (0.8%)
PRL 34.90 Increased By ▲ 0.22 (0.63%)
PTC 67.12 Increased By ▲ 1.79 (2.74%)
SEARL 90.98 Increased By ▲ 0.85 (0.94%)
SSGC 26.82 Increased By ▲ 0.22 (0.83%)
TELE 8.64 Increased By ▲ 0.36 (4.35%)
THCCL 58.69 Increased By ▲ 0.19 (0.32%)
TPLP 8.65 Increased By ▲ 0.43 (5.23%)
TREET 24.78 Increased By ▲ 0.25 (1.02%)
TRG 69.85 Increased By ▲ 0.14 (0.2%)
WAVES 10.09 Increased By ▲ 0.15 (1.51%)
WTL 1.29 Increased By ▲ 0.01 (0.78%)
اردو
Android App
Print Edition Dollar to PKR
Budget 2026-27 Iran-US war Petrol Prices Gold Rates Podcasts PSX Notices
Print Print edition: 2025-09-21

Flaw dubbed as ‘SessionReaper’: Critical vulnerability in Adobe Commerce & Magento identified

Published September 21, 2025 Updated September 21, 2025 04:51am
Save
2 min
comment
By Tahir Amin
Add BRecorder as a trusted
source on Google
Google Preferred Source

ISLAMABAD: The National Computer Emergency Response Team (NCERT) has issued a high-priority advisory warning to businesses of a critical vulnerability in Adobe Commerce and Magento Open Source platforms, dubbed SessionReaper.

The flaw, tracked as CVE-2025-54236, has been rated at CVSS 9.1 (Critical) and arises from improper input validation in the Commerce REST API. Successful exploitation could allow attackers to hijack customer sessions, gain unauthorized access to accounts, and, under certain conditions, execute remote code on affected servers.

According to NCERT, the vulnerability impacts multiple deployment methods of Adobe Commerce, Magento Open Source, B2B extensions, and the Custom Attributes Serializable Module. It poses a high risk of customer data theft, hijacked transactions, and potential full system compromise.

National CERT issues urgent data protection alert

If exploited, attackers could achieve: Account takeover and theft of sensitive customer information, remote code execution (RCE) in environments with file-based session storage enabled, privilege escalation through stolen tokens or API keys, and service disruption, potentially leading to widespread downtime of eCommerce operations.

NCERT has urged organizations to apply emergency hotfix VULN-32437-2-4-X-patch or upgrade to the latest Adobe release (APSB25-88) without delay. It also recommended rotating administrator and API credentials immediately, restricting REST API exposure to trusted networks, enforcing strict WAF/IDS/IPS rules to detect and block malicious traffic, the monitoring logs for abnormal login attempts, session manipulation, and privilege escalations.

The advisory warned that large-scale exploitation campaigns could emerge quickly, given the low complexity of attacks and the absence of authentication requirements.

“Timely patching is essential to prevent mass compromise of eCommerce platforms,” NCERT said, urging businesses to strengthen monitoring and apply defense-in-depth measures.

Copyright Business Recorder, 2025

Ecommerce businesses NCERT SessionReaper Magento Open Source Adobe Commerce customer data

Comments

Comments are closed for this article.

More Stories

Browse all stories