Adobe Commerce and Magento Open Source have been hit by a vulnerability called SessionReaper (CVE-2025-54236). This bug allows attackers not only to take over customer accounts but also — under certain conditions — to execute malicious code remotely.
Sansec Forensics, who analyzed the issue, warn that this vulnerability is among the most severe in Magento’s history, standing alongside infamous bugs like Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024). Each of those led to thousands of hacked stores within hours or days. SessionReaper may follow the same path if store owners don’t act quickly.
The attack abuses a malicious session combined with a deserialization bug in Magento’s REST API. When file-based session storage is in use, it can lead to unauthenticated remote code execution (RCE) — the nightmare scenario for any online merchant.
Even if you’re running Redis or database sessions, Sansec cautions that the vulnerability can still be abused for account takeover and other attacks.
The severity score speaks for itself: CVSS 9.1 (Critical). Exploitation requires no credentials, no admin privileges, and no user interaction. In other words, anyone on the internet can try this.
The Patch — and the Leak
Adobe responded by releasing an emergency out-of-band patch on September 9, 2025 under bulletin APSB25-88. This hotfix applies to all supported versions between 2.4.4 and 2.4.7.
Unfortunately, the patch was leaked a week earlier, giving attackers extra time to weaponize the exploit. Sansec now expects automated mass exploitation to begin any moment.
The vulnerability affects:
- Adobe Commerce 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, 2.4.4-p15 and earlier
- Adobe Commerce B2B 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, 1.3.3-p15 and earlier
- Magento Open Source 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier
What Merchants Should Do Immediately
- Apply the Patch Now
Don’t wait. Test and deploy the hotfix as soon as possible. Adobe’s advisory provides developer notes to help avoid breaking custom code. - Use a WAF if You Can’t Patch Fast Enough
If patching within 24 hours isn’t possible, enable a Web Application Firewall (WAF). Only Adobe Fastly and Sansec Shield are currently confirmed to block this attack. - Scan for Malware
If you patched late, run a scanner like eComscan to check for compromise. Rotate your Magento crypt key as well — if it was leaked, attackers could keep manipulating your CMS blocks indefinitely. - Stay Alert
Keep an eye out for suspicious admin users, modified files, or changes in your store’s behavior. History shows that once Magento exploits go public, automated attacks follow almost instantly.
Magento and Adobe Commerce power tens of thousands of online stores. A vulnerability like SessionReaper doesn’t just risk customer data — it puts entire businesses on the line. Stolen sessions, injected malware, and hijacked payment flows can erode customer trust overnight.
👉 For more details, see Adobe’s official advisory (APSB25-88) and Sansec’s SessionReaper analysis.
Leave a Comment