Magento and Adobe SessionReaper Flaw Puts Thousands of Online Stores at Risk of Automated Attacks

Adobe has broken its regular patch cadence to deliver an emergency fix for a critical Magento vulnerability dubbed SessionReaper (CVE-2025-54236).

This flaw has been classified as one of the most severe in Magento’s history, on par with Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024).

Automated abuse is imminent, and all merchants—particularly those not on managed platforms—must prepare to deploy the patch immediately.

Adobe’s internal discussions around a rapid fix began on August 22nd, followed by a private notification to Commerce Cloud customers on September 4th.

Open source Magento users were not informed until the official announcement on September 9th, underscoring concerns about transparency and equitable distribution of security updates.

The emergency patch is slated for release at approximately 14:00 UTC on Tuesday, September 9th, ahead of the regular October 14th update cycle.

A leaked concept patch, labeled “MCLOUD-14016 patch for CVE-2025-54236 webapi improvement,” is already circulating among developer communities.

While this leak provides a preview of the remediation approach, primarily tightening input processing in ServiceInputProcessor.php, it may not represent the finalized Adobe release. Merchants deploying the leaked patch do so at their own risk.

Vulnerability Impact and Mitigation

SessionReaper resides within Magento’s Web API input handling mechanism. It abuses the framework’s service input processor by bypassing parameter-type checks, allowing injection of complex objects that could lead to unauthorized administrative actions.

The patched code now enforces stricter type validation, accepting only simple scalar parameters or recognized API Data Objects. All others are silently discarded before conversion, effectively blocking the novel injection vectors.

Exploitation requires authenticated access to a target store’s Web API endpoints—often achievable via compromised API tokens or stolen administrator credentials.

Once authenticated, an attacker can craft requests to manipulate menu configurations, inject malicious payloads, or elevate privileges.

This vector closely mirrors the attack chains observed in the Shoplift and TrojanOrder incidents, where rapid weaponization enabled mass exploitation within hours of public disclosure.

Automated scanning tools are expected to scour the internet for unpatched Magento instances immediately after patch publication.

This risk is heightened by the leak of the concept patch, which reveals the exact code diffs. Merchants should assume that exploit scripts will become publicly available within 24 hours and prepare for a surge of opportunistic attacks.

Recommended Actions

Merchants who have already subscribed to the Sansec Shield benefit from proactive protection against SessionReaper exploit attempts.

Those without WAF backing must schedule an urgent maintenance window to retrieve and test the official Adobe update from the Adobe Security Bulletin page.

Thorough regression testing is crucial: focus on Web API endpoints, custom modules that extend service interfaces, and any third-party integrations that rely on dynamic API request handling.

In parallel, review administrator credentials and rotate all API tokens. Implement stricter password policies and enforce multi-factor authentication for all admin accounts.

Monitor logs for anomalous Web API calls and set up alerting for repeated parameter parsing errors, which may indicate reconnaissance or exploitation probes.

SessionReaper demonstrates the ongoing threat of sophisticated injection flaws in e-commerce platforms. Immediate patching, layered defenses, and vigilant monitoring are imperative to safeguard Magento stores against this critical vulnerability.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Magento and Adobe SessionReaper Flaw Puts Thousands of Online Stores at Risk of Automated Attacks appeared first on Cyber Security News.