Adobe releases September 2025 patches for multiple products, warns of critical flaw in Adobe Commerce/Magento
Take action: If you are using Adobe Commerce/Magento this advisory is URGENT AND IMPORTANT - Patch your Commerce/Magento IMMEDIATELY. For everyone else, high priority patching is Adobe Acrobat/Reader and Cold Fusion. Then review the advisory for the rest of the Adobe products you use.
Learn More
Adobe has released the September 2025 security updates addressing vulnerabilities across multiple products. As part of the patch release, Adobe has issued an emergency security update addressing a critical vulnerability in its Commerce and Magento Open Source platforms that security researchers have dubbed "SessionReaper,".
SessionReaper is described it as one of the most severe security flaws in the history of these e-commerce platforms. The vulnerability, tracked as CVE-2025-54236 (CVSS score 9.1), could be exploited without authentication to take control of customer accounts through the Commerce REST API.
Adobe has even sent an advance message to customers to notify them of the patch ahead of time. Security researchers expect CVE-2025-54236 to be abused via automation at scale, enabling automated account takeover, data theft, and fraudulent orders without requiring valid session tokens.
Critical vulnerabilities
- CVE-2025-54257 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
Important vulnerabilities
- CVE-2025-54255 (CVSS score 2.4) - Violation of Secure Design Principles vulnerability that could lead to security feature bypass.
Affected Versions:
- Acrobat DC Continuous Track: Windows 25.001.20672 and earlier, macOS 25.001.20668 and earlier
- Acrobat Reader DC Continuous Track: Windows 25.001.20672 and earlier, macOS 25.001.20668 and earlier
- Acrobat 2024 Classic Track: Windows & macOS 24.001.30254 and earlier
- Acrobat 2020 Classic Track: Windows & macOS 20.005.30774 and earlier
- Acrobat Reader 2020 Classic Track: Windows & macOS 20.005.30774 and earlier
Important vulnerabilities
- CVE-2025-54239 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
- CVE-2025-54240 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
- CVE-2025-54241 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
Affected Versions:
- Adobe After Effects 24.6.7 and earlier versions
- Adobe After Effects 25.3 and earlier versions
Critical vulnerabilities
- CVE-2025-54242 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Adobe Premiere Pro 25.3 and earlier versions
- Adobe Premiere Pro 24.6.5 and earlier versions
Critical vulnerabilities
- CVE-2025-54236 (CVSS score 9.1) - SessionReaper - Improper Input Validation vulnerability that could lead to security feature bypass. This is the most critical flaw of the entire patch release
Affected Versions:
- Adobe Commerce 2.4.9-alpha2 and earlier versions, 2.4.8-p2 and earlier versions, 2.4.7-p7 and earlier versions, 2.4.6-p12 and earlier versions, 2.4.5-p14 and earlier versions, 2.4.4-p15 and earlier versions
- Adobe Commerce B2B 1.5.3-alpha2 and earlier versions, 1.5.2-p2 and earlier versions, 1.4.2-p7 and earlier versions, 1.3.4-p14 and earlier versions, 1.3.3-p15 and earlier versions
- Magento Open Source 2.4.9-alpha2 and earlier versions, 2.4.8-p2 and earlier versions, 2.4.7-p7 and earlier versions, 2.4.6-p12 and earlier versions, 2.4.5-p14 and earlier versions
Critical vulnerabilities
- CVE-2025-54243 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2025-54244 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
- CVE-2025-54245 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Substance 3D Viewer 0.25.1 and earlier versions
Critical vulnerabilities
- CVE-2025-54248 (CVSS score 7.7) - Improper Input Validation vulnerability that could lead to security feature bypass.
Important vulnerabilities
- CVE-2025-54246 (CVSS score 6.5) - Incorrect Authorization vulnerability that could lead to security feature bypass.
- CVE-2025-54247 (CVSS score 6.5) - Improper Input Validation vulnerability that could lead to security feature bypass.
- CVE-2025-54249 (CVSS score 6.5) - Server-Side Request Forgery (SSRF) vulnerability that could lead to security feature bypass.
- CVE-2025-54250 (CVSS score 4.9) - Improper Input Validation vulnerability that could lead to security feature bypass.
- CVE-2025-54251 (CVSS score 4.3) - XML Injection vulnerability that could lead to security feature bypass.
- CVE-2025-54252 (CVSS score 5.4) - Cross-site Scripting (Stored XSS) vulnerability that could lead to security feature bypass.
Affected Versions:
- Adobe Experience Manager AEM Cloud Service (CS)
- Adobe Experience Manager 6.5 LTS SP1 and earlier versions
- Adobe Experience Manager 6.5.23 and earlier versions
Critical vulnerabilities
- CVE-2025-54256 (CVSS score N/A) - Cross-Site Request Forgery (CSRF) vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Adobe Dreamweaver 21.5 and earlier versions
Critical vulnerabilities
- CVE-2025-54258 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
- CVE-2025-54259 (CVSS score 7.8) - Integer Overflow or Wraparound vulnerability that could lead to arbitrary code execution.
- CVE-2025-54260 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Substance 3D Modeler 1.22.2 and earlier versions
Critical vulnerabilities
- CVE-2025-54261 (CVSS score 9.0) - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system write.
Affected Versions:
- ColdFusion 2025 Update 3 and earlier versions
- ColdFusion 2023 Update 15 and earlier versions
- ColdFusion 2021 Update 21 and earlier versions
Adobe reports that they are not aware of any exploits in the wild for any of the issues addressed in these updates. However, users are strongly encouraged to update their software to the latest versions.
