Adobe Issues Emergency Patch for SessionReaper (CVE-2025-54236), One of Magento’s Most Critical Flaws
Ddos 
Adobe has broken from its regular patch schedule to release an emergency fix for CVE-2025-54236, a vulnerability Sansec has dubbed SessionReaper. The flaw, described as one of the most severe in Magento’s history, could allow automated attacks against thousands of online stores within hours of disclosure.
Sansec reports: “Adobe breaks their regular patch schedule and will release an emergency fix for CVE-2025-54236 within the next 24 hours. Automated abuse is expected and merchants should act immediately.”
Adobe’s next scheduled patch date was October 14, but the company accelerated release due to the flaw’s severity. The patch is expected at 14:00 UTC on Tuesday, September 9, 2025.
Sansec compared SessionReaper to some of Magento’s most infamous vulnerabilities:
- Shoplift (2015)
- Ambionics SQLi (2019)
- TrojanOrder (2022)
- CosmicSting (2024)
As the report highlights, “Each time, thousands of stores got hacked, sometimes within hours of the flaw being published.”
Adobe provided advance notice to its Commerce customers but not to open source Magento users, leaving the latter community frustrated about the lack of prior warning for such a critical security update.
SessionReaper targets Magento’s WebAPI ServiceInputProcessor, enabling malicious input processing that can be abused to hijack user sessions or manipulate sensitive data. Given Magento’s widespread use in e-commerce, exploitation could result in large-scale credit card theft, account takeover, or administrative access.
Sansec warns that automated exploitation tools are likely to appear rapidly: “Automated abuse is expected and merchants should act immediately.”
A leaked concept patch named “MCLOUD-14016 patch for CVE-2025-54236 webapi improvement” is circulating, but Sansec cautions that its stability and completeness are unverified.
For now, merchants should:
- Apply the emergency patch immediately upon release.
- If patching is not possible, disable or secure actuator endpoints and monitor logs for suspicious session activity.
- Deploy protective tools like Sansec Shield, which the company confirmed already mitigates this attack vector.
Update:
Adobe has released a critical security update for Adobe Commerce and Magento Open Source, addressing CVE-2025-54236 — a vulnerability that could allow attackers to bypass security features.
According to Adobe, “Successful exploitation could lead to security feature bypass.”
The vulnerability affects a wide range of versions across both Adobe Commerce and Magento Open Source. While Adobe has stated that “Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” the critical rating indicates that exploitation could have severe consequences for online stores handling sensitive customer and financial data.
The advisory confirms that CVE-2025-54236 impacts:
- Adobe Commerce versions up to 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, and 2.4.4-p15.
- Adobe Commerce B2B versions up to 1.5.3-alpha2, 1.5.2-p2, 1.4.2-p7, 1.3.4-p14, and 1.3.3-p15.
- Magento Open Source versions up to 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, and 2.4.5-p14.
Adobe has released a hotfix for CVE-2025-54236 that is compatible with all affected Adobe Commerce and Magento Open Source versions between 2.4.4 and 2.4.7.
The company strongly advises users to update their installations to the patched versions without delay.
Donate