SessionReaper: Magento and Adobe Commerce Hit by Critical Zero-Day

A major security vulnerability CVE-2025-54236, or SessionReaper, has struck Adobe Commerce and Magento Open Source, prompting an emergency out-of-band patch from Adobe. Rated critical (CVSS 9.1), this flaw stands among the most severe in the platform’s history.

What Is SessionReaper?

First revealed by Sansec, SessionReaper enables unauthenticated remote code execution (RCE) and customer account takeover via Magento’s REST API. The exploit leverages session manipulation coupled with nested deserialization vulnerabilities, especially when session data is stored on the filesystem, a typical default setup.

Sansec warned that given the severity and the accidental early leak of Adobe’s patch, automated attacks are expected as soon as exploit code hits the wild.

Adobe’s Emergency Response

Adobe broke from its regular update cycle to issue an emergency patch under Security Bulletin APSB25-88, released on September 9, 2025.

• Affected platforms include:
  • Adobe Commerce (up to 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15)
  • Adobe Commerce B2B (versions through 1.5.3-alpha2, 1.5.2-p2, etc.)
  • Magento Open Source (up to same version thresholds)
• Solution: Apply the hotfix VULN-32437-2-4-X-patch, compatible across all affected versions between 2.4.4 and 2.4.7.

Important Considerations

• Adobe observed no evidence of active exploitation in the wild.
• For merchants hosting on Adobe Commerce on Cloud, Adobe has already deployed WAF rules as a temporary safeguard.
• Sansec, a partner of Absolute Web, recommends rapid patch deployment. For sites that cannot patch immediately, especially due to potential compatibility breakages, they advise deploying a WAF like Adobe Fastly or Sansec Shield, and conducting post-patch malware scanning via eComscan. Rotating your store’s cryptographic key is also advised.

Why This Matters

SessionReaper joins a lineage of Magento’s most dangerous flaws, Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024), each of which led to widespread attacks within hours of disclosure.

The accelerated patch release—well in advance of Adobe’s next scheduled October update, underlines the severity. While Adobe Commerce customers were informed privately on September 4, open-source Magento users received no warning, drawing criticism over inequitable communication.

What Merchants Must Do Now

Action	Recommended Steps
Immediately Apply the Hotfix	Deploy VULN-32437-2-4-X-patch without delay.
Use Temporary Protection	Enable WAF (Adobe Fastly or Sansec Shield) if patching isn’t immediately possible.
Conduct Malware Scans	Run eComscan to detect potential compromise.
Rotate Security Keys	Change cryptographic keys to prevent post-compromise attacks.
Monitor for Exploits	Keep logs and alerts active for suspicious session behavior.
Check WAF Status (Cloud Users)	Ensure WAF rules are properly in place for protection.

How Absolute Web Can Help

As an Adobe Commerce Partner Agency, Absolute Web is actively helping merchants mitigate the risks of SessionReaper. Our team is already working with clients to:

— Deploy the Emergency Patch:
Safely applying the hotfix across affected Adobe Commerce and Magento Open Source stores.

— Validate Compatibility:
Testing to ensure extensions, customizations, and integrations remain stable after patching.

— Enhance Security Layers:
Configuring and verifying WAF rules, session storage, and other protective measures.

— Post-Patch Monitoring:
Running malware scans and reviewing system logs for any signs of compromise.

— Security Consulting:
Advising on long-term security best practices, including session management, patch cadence, and key rotation.

If your store runs on Adobe Commerce or Magento Open Source, time is critical. Absolute Web can step in immediately to ensure your site is patched, secured, and monitored against this threat, minimizing downtime and protecting your customers. Contact us today.