The vulnerability is considered one of the most severe in Magento’s history, prompting an out-of-band update on Tuesday, September 9th, well ahead of the next scheduled patch release on October 14th.
The vulnerability uncovered by Sansec, tracked as CVE-2025-54236, could expose thousands of online stores to automated attacks.
The severity of SessionReaper is being compared to past significant Magento vulnerabilities, such as
Each of these historical flaws led to the compromise of thousands of e-commerce sites, with threat actors often exploiting them within hours of public disclosure, Sansec said.
This history has put the Magento and Adobe Commerce communities on high alert, emphasizing the need for immediate action.
Adobe’s handling of the disclosure has drawn criticism from the open-source community. While paying Adobe Commerce customers received a private, advanced notification of the emergency fix on September 4th, users of the free Magento Open Source platform were not given any prior warning.
This resulted in a large portion of the user base being unprepared for the critical update, leading to frustration over the perceived lack of support between the commercial and open-source ecosystems. Internal discussions at Adobe regarding an emergency fix reportedly began as early as August 22nd.
Merchants are urged to apply the official patch from Adobe without delay. The updates are available on Adobe’s security bulletin webpage.
The leaked patch, titled “MCLOUD-14016 patch for CVE-2025-54236 webapi improvement,” suggests the vulnerability is located in the Webapi/ServiceInputProcessor.php file.
The fix appears to restrict the types of data that can be processed through the API, allowing only simple types or authorized API Data Objects.
However, merchants were cautioned against using this unofficial patch, as its finality and completeness were unconfirmed.
Given the critical nature of SessionReaper, store owners are strongly advised to prioritize the deployment of the official security update to prevent session hijacking and other potential automated attacks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Magento and Adobe SessionReaper Vulnerability Exposes Thousands Of Online Stores to Attacks appeared first on Cyber Security News.
A jump starter is an essential part of car's emergency kit, but you don't need…
FORT WAYNE, Ind. (WOWO) — Rain is possible again in Indiana this weekend as temperatures…
MIAIMI COUNTY, Ind. (WOWO) — Federal government payments to keep immigration detainees at an Indiana…
U.S. Secretary of Defense Pete Hegseth listens to questions during a news conference at the…
Guess they weren’t kidding with that “Oscars host for life” sketch at last year’s show.…
Christopher Nolan has confirmed a casting twist for his upcoming “mythic action epic,” The Odyssey.…
This website uses cookies.