NCERT warns businesses running Magento Open Source and Adobe Commerce of a severe SessionReaper vulnerability that could compromise customer data and eCommerce operations globally.
The National Computer Emergency Response Team (NCERT) has issued a critical security advisory for Adobe Commerce and Magento Open Source, highlighting a severe flaw tracked as CVE-2025-54236, nicknamed SessionReaper. With a 9.1 CVSS rating, the vulnerability stems from improper input validation in the Commerce REST API and can be exploited without authentication, with low attack complexity.
The flaw puts millions of eCommerce transactions at risk, enabling attackers to hijack customer sessions, steal data, escalate privileges via stolen tokens or API keys, and, in some setups, execute remote code (RCE). Multiple deployment methods are impacted, including B2B extensions and the Custom Attributes Serializable Module.
To mitigate the risk, NCERT urges businesses to apply emergency hotfix VULN-32437-2-4-X-patch or upgrade to Adobe’s latest release (APSB25-88). Additional measures include rotating admin and API credentials, restricting REST API access to trusted networks, enforcing strict WAF, IDS, or IPS rules, and monitoring logs for suspicious activity.
“Timely patching is essential to prevent mass compromise of eCommerce platforms,” NCERT stated, emphasising the importance of defense-in-depth strategies and real-time monitoring.
The advisory underscores a pressing open source supply chain security risk, as widely used platforms like Magento Open Source face the same level of threat as enterprise solutions. Experts warn that large-scale exploitation could emerge quickly, highlighting the urgent need for faster patch adoption and community-driven security frameworks to protect global eCommerce operations.
