
SessionReaper: Magento and Adobe Commerce Hit by Critical Zero-Day
A major security vulnerability CVE-2025-54236, or SessionReaper, has struck Adobe Commerce and Magento Open Source, prompting an emergency out-of-band patch from Adobe. Rated critical (CVSS 9.1), this flaw stands among the most severe in the platform’s history.
What Is SessionReaper?
First revealed by Sansec, SessionReaper enables unauthenticated remote code execution (RCE) and customer account takeover via Magento’s REST API. The exploit leverages session manipulation coupled with nested deserialization vulnerabilities, especially when session data is stored on the filesystem, a typical default setup.
Sansec warned that given the severity and the accidental early leak of Adobe’s patch, automated attacks are expected as soon as exploit code hits the wild.
Adobe’s Emergency Response
Adobe broke from its regular update cycle to issue an emergency patch under Security Bulletin APSB25-88, released on September 9, 2025.
- Affected platforms include:
- Adobe Commerce (up to 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15)
- Adobe Commerce B2B (versions through 1.5.3-alpha2, 1.5.2-p2, etc.)
- Magento Open Source (up to same version thresholds)
- Solution: Apply the hotfix VULN-32437-2-4-X-patch, compatible across all affected versions between 2.4.4 and 2.4.7.
Important Considerations
- Adobe observed no evidence of active exploitation in the wild.
- For merchants hosting on Adobe Commerce on Cloud, Adobe has already deployed WAF rules as a temporary safeguard.
- Sansec, a partner of Absolute Web, recommends rapid patch deployment. For sites that cannot patch immediately, especially due to potential compatibility breakages, they advise deploying a WAF like Adobe Fastly or Sansec Shield, and conducting post-patch malware scanning via eComscan. Rotating your store’s cryptographic key is also advised.
Why This Matters
SessionReaper joins a lineage of Magento’s most dangerous flaws, Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024), each of which led to widespread attacks within hours of disclosure.
The accelerated patch release—well in advance of Adobe’s next scheduled October update, underlines the severity. While Adobe Commerce customers were informed privately on September 4, open-source Magento users received no warning, drawing criticism over inequitable communication.
What Merchants Must Do Now
Action | Recommended Steps |
---|---|
Immediately Apply the Hotfix | Deploy VULN-32437-2-4-X-patch without delay. |
Use Temporary Protection | Enable WAF (Adobe Fastly or Sansec Shield) if patching isn’t immediately possible. |
Conduct Malware Scans | Run eComscan to detect potential compromise. |
Rotate Security Keys | Change cryptographic keys to prevent post-compromise attacks. |
Monitor for Exploits | Keep logs and alerts active for suspicious session behavior. |
Check WAF Status (Cloud Users) | Ensure WAF rules are properly in place for protection. |
How Absolute Web Can Help
As an Adobe Commerce Partner Agency, Absolute Web is actively helping merchants mitigate the risks of SessionReaper. Our team is already working with clients to:
— Deploy the Emergency Patch:
Safely applying the hotfix across affected Adobe Commerce and Magento Open Source stores.
— Validate Compatibility:
Testing to ensure extensions, customizations, and integrations remain stable after patching.
— Enhance Security Layers:
Configuring and verifying WAF rules, session storage, and other protective measures.
— Post-Patch Monitoring:
Running malware scans and reviewing system logs for any signs of compromise.
— Security Consulting:
Advising on long-term security best practices, including session management, patch cadence, and key rotation.
If your store runs on Adobe Commerce or Magento Open Source, time is critical. Absolute Web can step in immediately to ensure your site is patched, secured, and monitored against this threat, minimizing downtime and protecting your customers. Contact us today.
Promoted
EEE Miami 2026 – The Most Inspiring Ecommerce Conference
February 4-5, 2025 | Miami, FL
In-Person Event | Get Tickets
More Articles
Absolute Web Achieves Shopify Platinum Partner Status
Big news 🚨 Absolute Web has officially been recognized as…
Read more
The Next Frontier in Ecommerce: Buying Directly ...
The news is out: OpenAI unveiled a major leap in…
Read more
Absolute Web’s ShopTalk Fall 2025 Review: AI ...
AI That Actually Moves KPIs – Who We Spoke To…
Read more
Absolute Web Proudly Sponsors Edge Summit North ...
Miami Beach, FL — September 17-18, 2025 — Absolute Web…
Read more
The New Shopify Markets + B2B: Unlocking ...
Shopify’s Markets and B2B Markets together offer powerful tools for…
Read more
Community, Connection, and Giving Back: Absolute Web ...
The Oxbow Country Club was buzzing with energy as golfers,…
Read more
The Enterprise Playbook: Migrating from Magento (Adobe ...
Migrating from Magento (Adobe Commerce) to Shopify Plus is more…
Read more
How to Leverage Reviews and Social Proof ...
For established ecommerce brands, customer acquisition isn’t the only challenge,…
Read more
Social Feed