Adobe Commerce Flaw Lets Hackers Take Over User Accounts. Severity

Adobe Commerce Flaw Lets Hackers Take Over User Accounts. Severity

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Adobe Commerce Flaw Lets Hackers Take Over User Accounts.

Severity: CRITICAL (CVE-2025-54236)

CVSS V3.0 Score: 9.1

Information

  Adobe Commerce is a powerful, cloud-based e-commerce platform for building and managing online businesses, known for its flexibility, scalability, and support for both B2C (business-to-consumer) and B2B (business-to-business) transactions.

  Formerly known as Magento, it is a composable solution that integrates with other Adobe products, such as Adobe Analytics and Adobe Experience Manager, to create personalized, omnichannel shopping experiences powered by AI and a global network of developers and partners. 

  Adobe has issued a security advisory for a critical vulnerability in Adobe Commerce and Magento Open Source, tracked as CVE-2025-54236 and nicknamed SessionReaper. The flaw carries a CVSS score of 9.1 and could allow attackers to take over customer accounts via the Commerce REST API.

   The SessionReaper flaw stems from improper input validation, enabling malicious actors to craft requests that compromise customer accounts through the API.

  Adobe confirms that this vulnerability affects multiple products, including:

Adobe Commerce

  • 2.4.9-alpha2 and earlier
  • 2.4.8-p2 and earlier
  • 2.4.7-p7 and earlier
  • 2.4.6-p12 and earlier
  • 2.4.5-p14 and earlier
  • 2.4.4-p15 and earlier

Magento Open Source

  • 2.4.9-alpha2 and earlier
  • 2.4.8-p2 and earlier
  • 2.4.7-p7 and earlier
  • 2.4.6-p12 and earlier
  • 2.4.5-p14 and earlier

Adobe Commerce B2B

  • 1.5.3-alpha2 and earlier
  • 1.5.2-p2 and earlier
  • 1.4.2-p7 and earlier
  • 1.3.4-p14 and earlier
  • 1.3.3-p15 and earlier

Custom Attributes Serializable module

  • Versions 0.1.0 to 0.4.0

Incident

  E-commerce security company Sansec has reproduced the exploit, showing that attackers can combine malicious sessions with a nested deserialization bug in Magento’s REST API to gain account control.

   Although the proof-of-concept relied on file-based session storage, Adobe warned that systems using Redis or database sessions may also be vulnerable, as multiple exploitation vectors are possible.

  Sansec described SessionReaper as one of the most severe Magento vulnerabilities to date, comparing it to notorious attacks such as:

  • Shoplift (2015)
  • Ambionics SQLi (2019)
  • TrojanOrder (2022)
  • CosmicSting (2024)

These attacks have all had a severe impact on the global e-commerce industry.

Recommendation

 Organizations running Adobe Commerce or Magento should act immediately:

  1. Apply the hotfix to patch vulnerable systems.
  2. Enable and configure WAF protection.
  3. Update or remove vulnerable Custom Attributes Serializable modules.
  4. Review session storage configurations (file-based, Redis, or database).
  5. Enhance logging and access controls to detect suspicious activity.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Chanuntida)
065 725 7405 (Ms.Nattharini)

References

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2024-43166

3/9/2025

3/9/2025

Apache DolphinScheduler: Versions prior to 3.2.2

Incorrect Default Permissions

9.8

An Incorrect Default Permissions (CWE-276) vulnerability exists in the installation process of Apache DolphinScheduler versions prior to 3.2.2. Some files have improperly set permissions, allowing local users to modify critical files, potentially leading to privilege escalation or complete control of the system.

Update version 3.2.2

https://app.opencve.io/cve/CVE-2024-43166
2

CVE-2024-39335

26/8/2025

27/8/2025

Mahara 24.04 < 24.04.1 Mahara 23.04 < 23.04.6

Information Disclosure

9.1

A vulnerability that could allow data to be leaked to the institution's administrators under certain conditions through the "Current submissions" page located in the menu: Administration -> Groups -> Submissions.

Update Mahara to version 24.04.1 or higher and 23.04.6 or higher.

https://app.opencve.io/cve/CVE-2024-39335
3

CVE-2025-55244

15/4/2025

19/8/2025

Azure Bot Service

Elevation of Privilege

9

This vulnerability allows an attacker to execute an Elevation of Privilege method without the user's privileges and without any user interaction.

Install the patch immediately from the Microsoft update guide.

https://app.opencve.io/cve/CVE-2025-55244

 
 4

CVE‑2025‑53149

12/8/2025

6/9/2025

Windows 10
Windows 10 1507 , Windows 10 1607
, Windows 10 1809 , Windows 10 21h2
,Windows 10 22h2 , Windows 11 22h2
, Windows 11 22h3 , Windows 11 23h2
, Windows 11 24h2
Windows Server
Windows Server 2008 ,Windows Server 2008 Sp2
, Windows Server 2012 , Windows Server 2016
, Windows Server 2019 , Windows Server 2022
, Windows Server 2022 23h2, Windows Server 2025

privilege escalation

7.8

Heap-based buffer overflow vulnerability in the Kernel Streaming WOW Thunk Service Driver on Windows systems.

This vulnerability stems from improper handling of heap-based buffers, allowing an authorized local attacker to escalate privileges to higher privileges (e.g., SYSTEM).

Install patches with KB codes such as KB5063877, KB5063709, KB5063875, etc.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53149
5

CVE‑2025‑36899

4/9/2025

8/9/2025

Android kernel

privilege escalation

9.8

A Privilege Escalation vulnerability in Android devices (Android kernel) is caused by debugging code being included in production builds that could allow an attacker to escalate privileges without requiring any user privileges or interaction.

Make sure your Android device is updated to patch level 2025-09-05 or later.

This can typically be updated via Settings > System > System update or the relevant menu on your device.

https://source.android.com/docs/security/bulletin/pixel/2025-09-01?hl=th

 

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test​

06/09/2025​

Phishing​

A hacker group known as Noisy Bear (believed to have ties to Russia) has launched a cyber operation called Operation BarrelFire, targeting KazMunaiGas (KMG), Kazakhstan’s national oil and gas company, which represents a critical part of the country’s economy.The campaign, which began in April 2025, was analyzed by Seqrite Labs, revealing that Noisy Bear employed sophisticated spear-phishing techniques to infiltrate KMG’s internal systems. The attackers impersonated the company’s IT department by sending fake emails disguised as official documents, such as new policy announcements, authentication procedures, salary adjustments, or HR-related updates.These emails contained ZIP attachments, which included .LNK files that appeared to be normal shortcuts but in fact downloaded malicious scripts from the internet. Once executed, the scripts acted as a dropper, pulling in subsequent malware stages onto the victim’s machine.At the final stage, the attackers gained control over infected devices, enabling them to exfiltrate sensitive data and potentially expand access to the organization’s critical systems.What makes this particularly concerning is that the campaign specifically targeted the national energy sector—a vital component of Kazakhstan’s critical infrastructure. A successful compromise could result in wide-ranging consequences, including production disruptions, oil and gas system outages, or even threats to national security.​
  • Enforce Multi-Factor Authentication (MFA) for all accounts, especially for admin and remote access.
  • Implement ongoing training programs to help employees recognize phishing emails.
  • Segment IT and OT networks (Operational Technology) to reduce the risk of attacks spreading from office systems into industrial control systems.

Ref: https://www.bleepingcomputer.com/news/security/new-mirai-botnet-infect-tbk-dvr-devices-via-command-injection-flaw/

16 September 2025

Viewed 342 time

Engine by shopup.com