A critical vulnerability, CVE-2025-54236, dubbed “SessionReaper,” has been identified in Adobe Commerce and Magento Open Source platforms, potentially allowing attackers to seize control of customer accounts. The severity of this flaw has prompted Adobe to release an emergency patch outside of its regular update schedule.
Vulnerability Details
SessionReaper is characterized by an improper input validation flaw within the Magento Web API. This vulnerability allows attackers to bypass parameter-type checks, injecting malicious code that can lead to unauthorized actions. CVE-2025-54236 has a CVSS score of 9.1, reflecting its critical impact. Exploitation of this issue does not require user interaction.
Why SessionReaper is So Severe
SessionReaper is considered one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024). Adobe broke its regular release schedule to publish a fix for this critical flaw in all versions of Adobe Commerce and Magento, highlighting the urgency and potential impact.
Affected Products
The vulnerability impacts a wide range of Adobe Commerce and Magento Open Source versions, including:
- Adobe Commerce (all deployment methods): versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier
- Adobe Commerce B2B: versions 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier
- Magento Open Source: versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier
- Custom Attributes Serializable module: Versions 0.1.0 to 0.4.0
Impact & Exploit Potential
Successful exploitation of SessionReaper can lead to several severe consequences, including security feature bypass, customer account takeover, data theft, fraudulent orders, and potentially remote code execution. Attackers can potentially gain unauthorized access to user sessions and manipulate system data. This vulnerability allows attackers to bypass input validation in the Magento Web API, enabling automated account takeover and data theft without needing valid session tokens.
Proof of Concept (PoC)
Security researchers have successfully reproduced an exploit for CVE-2025-54236, demonstrating that multiple attack vectors are possible. The attack combines a malicious session with a nested deserialization bug in Magento’s REST API. While the specific remote code execution vector appears to require file-based session storage, it is recommended that merchants using Redis or database sessions also take immediate action, as there are multiple ways to abuse this vulnerability. A leaked concept patch, labeled “MCLOUD-14016 patch for CVE-2025-54236 webapi improvement,” is already circulating among developer communities. This leak provides a preview of the remediation approach, primarily tightening input processing in ServiceInputProcessor.php. Merchants deploying the leaked patch do so at their own risk.
Tactics, Techniques, and Procedures (TTPs)
Attackers can exploit the SessionReaper vulnerability to bypass input validation in the Magento Web API. This allows for automated account takeover, data theft, and fraudulent orders, even without valid session tokens. Key tactics and techniques associated with this vulnerability include:
- TA0006 – Credential Access: Attackers gain unauthorized access to account credentials.
- T1555 – Credentials from Password Stores: Exploiting password storage vulnerabilities.
- TA0004 – Privilege Escalation: Elevating privileges to gain control over customer accounts.
- T1078 – Valid Accounts: Using compromised valid accounts to perform malicious activities.
- T1190 – Exploit Public-Facing Application: Leveraging vulnerabilities in internet-facing applications.
- T1020 – Automated Collection: Automatically gathering data from affected systems.
Mitigation & Recommendations
Adobe has released a hotfix for CVE-2025-54236 and has deployed web application firewall (WAF) rules to protect Adobe Commerce on Cloud infrastructure. Key recommendations include:
- Apply the official patch from Adobe immediately. The patch addresses the improper input validation and prevents session takeover.
- Merchants using Adobe Commerce on Cloud are advised to ensure WAF rules are up-to-date.
- Merchants are urged to apply the official patch from Adobe without delay.
- Monitor logs for suspicious Web API calls.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
