Adobe has released a security update addressing a serious flaw in Adobe Commerce and Magento Open Source, known as SessionReaper (CVE-2025-54236). This vulnerability has a high severity rating of 9.1 out of 10 and lets hackers hijack customer accounts through the Commerce REST API by exploiting improper input validation. Sansec reports that Adobe informed some Commerce customers about the emergency fix on September 4, stepping outside their usual release schedule to address this urgent issue.
Affected Versions
• Adobe Commerce up to 2.4.9-alpha2
• Adobe Commerce B2B up to 1.5.3-alpha2
• Magento Open Source up to 2.4.9-alpha2
• Custom Attributes Serializable module versions 0.1.0 to 0.4.0
Researchers have confirmed that remote code execution is achievable primarily through file-based session storage, the default configuration in most deployments. While other session backends (Redis, database) have not been proven exploitable, all merchants should patch immediately, as multiple abuse vectors may exist.
Attack Methodology
Remote code execution was successfully reproduced by researchers by targeting Magento installations that use file-based session storage and chaining deserialization flaws via the platform’s REST API. Sansec emphasizes that, while this attack vector was demonstrated against file session storage (the default in most environments), all merchants should patch immediately, as different session backends may still present exploitable paths. The attack does not require authentication or administrative access, underlining the criticality of prompt remediation. The urgency is heightened by reports that an initial hotfix was accidentally leaked last week, potentially giving threat actors advance knowledge to develop exploits.
Recommended Actions
Adobe recommends:
- Apply the hotfix immediately to all affected installations.
- Activate a Web Application Firewall (WAF), such as Adobe Fastly or Sansec Shield, if immediate patching is not possible.
Sansec further advises that if the patch is applied with a delay beyond 24 hours, administrators should:
- Run malware scans to detect any possible compromise.
- Rotate the Magento secret cryptographic key to prevent attackers from persisting unauthorized changes, such as CMS block updates.
Historical Context
SessionReaper is one of the most serious Magento vulnerabilities in platform history, ranking alongside notorious flaws like Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024). According to Sansec researchers, each of these critical vulnerabilities led to thousands of stores being compromised, often within hours of public disclosure. The CosmicSting incident alone demonstrated the speed and scale of automated exploitation, with researchers documenting hack rates of 5 to 30 stores per hour during active campaigns. Over 4,000 stores were ultimately compromised in the CosmicSting attacks, affecting approximately 5% of all Adobe Commerce and Magento installations globally.
Conclusion
Merchants must act immediately and apply the SessionReaper patch. Automated attacks targeting unpatched stores could lead to customer data theft and complete system compromise. As Adobe emphasizes in its advisory, delaying this critical update leaves organizations exposed to significant risk, and recovery assistance will be limited once systems are breached.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
