SessionReaper Vulnerability Puts Magento & Adobe Commerce Sites in Hacker Crosshairs

Adobe has broken its regular patch schedule to address CVE-2025-54236, a critical vulnerability in Magento Commerce and open-source Magento installations.

Dubbed “SessionReaper,” this vulnerability allows attackers to bypass input validation in the Magento Web API, enabling automated account takeover, data theft, and fraudulent orders without requiring valid session tokens.

Adobe will release an emergency fix on Tuesday, September 9th at 14:00 UTC—over a month ahead of its planned October 14th update—and urges merchants to prepare immediately to thwart widespread exploitation.

SessionReaper is among the most severe Magento vulnerabilities in history, rivaling notorious vulnerabilities such as Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024).

Each prior exploit led to thousands of stores being compromised within hours of public disclosure.

Adobe initially discussed an emergency patch internally on August 22nd and provided advance notice to Commerce customers on September 4th, but open-source Magento users received no warning, triggering frustration in the broader community over the lack of transparency.

Magento administrators should monitor Adobe’s security page for updates and download the official patch immediately upon release. Adobe’s advisory and patch download will be available at the Magento Security Center.

Merchants using Sansec Shield are already protected against SessionReaper automated abuse.

Stores without Sansec Shield must prioritize patch testing in staging environments and schedule immediate deployment into production.

A concept patch—MCLOUD-14016 for CVE-2025-54236 webapi improvement—has leaked, modifying vendor/magento/framework/Webapi/ServiceInputProcessor.php to enforce strict parameter type checks.

However, this leak is unofficial and may differ from Adobe’s final release; applying it carries risk and should be undertaken only with thorough testing.

Once the official patch is released, store owners should:

Ensure staging validation.
Deploy the update to all environments within hours.
Invalidate existing session cookies and require customer reauthentication.
Rotate API keys and service account credentials.
Monitor logs for suspicious Web API calls.
Review live attack feeds at Sansec’s portal for emerging indicators of compromise.

SessionReaper exploits a vulnerability in the Web API service input processor, where unsanitized data can be passed to backend constructors.

The leaked diff adds a check to allow only simple scalar types or recognized API data objects, skipping any unexpected parameter types.

Until the official patch is confirmed, administrators should add compensating controls such as web application firewalls with strict JSON schema validation to mitigate in-flight abuse.

Adobe’s decision to accelerate the fix outside its normal cadence underscores the criticality of SessionReaper.

Merchants running Magento in shared or unmanaged hosting environments are particularly at risk, as automated attack tools will scan for unpatched endpoints immediately following disclosure.

The history of rapid exploitation in Magento’s ecosystem—most recently seen with CosmicSting’s mass credit-card theft campaigns—demonstrates that delaying remediation even by hours can result in large-scale data breaches and revenue loss.

The Magento community must learn from past incidents: thorough patch management, layered defenses, and timely communication are essential to protect online storefronts.

Adobe’s break from its October patch cycle is an unprecedented move that highlights the severity of SessionReaper.

Merchants should act without delay, deploy the emergency update, and strengthen monitoring to prevent automated abuse and safeguard customer data.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.