.webp "hotfix on CVE-2025-54236")
Adobe has issued an emergency patch for a devastating security flaw dubbed "SessionReaper" (CVE-2025-54236) that threatens hundreds of thousands of online stores worldwide. The vulnerability allows unauthenticated attackers to hijack customer accounts and execute remote code on affected systems.
The bug affects all versions of Adobe Commerce and Magento, scoring a critical 9.1 severity rating. Security researchers warn this could be one of the most severe Magento vulnerabilities in the platform's history, comparable to notorious attacks like Shoplift (2015) and CosmicSting (2024) that compromised thousands of stores within hours.
"SessionReaper is one of the more severe Magento vulnerabilities in its history," confirmed the vulnerability researcher who discovered the flaw. The attack combines malicious session manipulation with a nested deserialization bug in Magento's REST API (application programming interface), following a similar pattern to last year's CosmicSting incident.
What makes this particularly dangerous is that Adobe's patch was accidentally leaked last week, potentially giving cybercriminals a head start on developing exploit code. Security firm Sansec, which successfully reproduced the attack, warns that "automated abuse is expected" as threat actors reverse-engineer the fix to create working exploits.
The vulnerability primarily affects stores using file-based session storage for remote code execution, though experts recommend immediate action regardless of session configuration due to multiple possible attack vectors.
Immediate Actions Required:
- Apply the emergency patch immediately - Adobe has published a developer guide, though the fix may break custom functionality
- Deploy a Web Application Firewall (WAF) if patching isn't possible within 24 hours - only Adobe Fastly and Sansec Shield currently block this attack
- Scan for compromise if patch deployment was delayed beyond 24 hours
- Rotate secret crypt keys to prevent ongoing unauthorised access
Store owners already using Sansec Shield protection are reportedly safe from this attack. Given the history of rapid exploitation following Magento vulnerability disclosures, security experts emphasise that time is critical for unprotected merchants.