DevOps
sysops

Adobe has issued an emergency security patch for a critical vulnerability in its Magento and Adobe Commerce platforms, dubbed “SessionReaper”.

The vulnerability is considered one of the most severe in Magento’s history, prompting an out-of-band update on Tuesday, September 9th, well ahead of the next scheduled patch release on October 14th.

The vulnerability uncovered by Sansec, tracked as CVE-2025-54236, could expose thousands of online stores to automated attacks.

The severity of SessionReaper is being compared to past significant Magento vulnerabilities, such as

Shoplift (2015)

Ambionics SQLi (2019)

TrojanOrder (2022)

CosmicSting (2024).

Each of these historical flaws led to the compromise of thousands of e-commerce sites, with threat actors often exploiting them within hours of public disclosure, Sansec said.

This history has put the Magento and Adobe Commerce communities on high alert, emphasizing the need for immediate action.

Adobe’s handling of the disclosure has drawn criticism from the open-source community. While paying Adobe Commerce customers received a private, advanced notification of the emergency fix on September 4th, users of the free Magento Open Source platform were not given any prior warning.

This resulted in a large portion of the user base being unprepared for the critical update, leading to frustration over the perceived lack of support between the commercial and open-source ecosystems. Internal discussions at Adobe regarding an emergency fix reportedly began as early as August 22nd.

Mitigations

Merchants are urged to apply the official patch from Adobe without delay. The updates are available on Adobe’s security bulletin webpage.

The leaked patch, titled “MCLOUD-14016 patch for CVE-2025-54236 webapi improvement,” suggests the vulnerability is located in the Webapi/ServiceInputProcessor.php file.

The fix appears to restrict the types of data that can be processed through the API, allowing only simple types or authorized API Data Objects.

However, merchants were cautioned against using this unofficial patch, as its finality and completeness were unconfirmed.

Given the critical nature of SessionReaper, store owners are strongly advised to prioritize the deployment of the official security update to prevent session hijacking and other potential automated attacks.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

Related Posts

A critical security vulnerability has been discovered in Netwrix Password Secure, an enterprise password management solution, allowing authenticated attackers to…

Bitdefender Total Security has been found vulnerable to Man-in-the-Middle (MITM) attacks due to improper certificate validation in its HTTPS scanning…

Progress Software has disclosed a new high-severity vulnerability in its MOVEit Transfer file transfer solution that could allow attackers to…