Adobe issued an emergency patch for one of the most severe vulnerabilities ever discovered in the Magento Open Source ecommerce platform and Adobe Commerce, its enterprise counterpart. The flaw allows unauthenticated attackers to hijack user accounts and, in some cases, execute arbitrary code on servers.
Tracked as CVE-2025-54236 and dubbed SessionReaper by the security community, the vulnerability was privately reported to Adobe by an external researcher. The company deemed it serious enough to release an out-of-band patch, breaking its regular two-month update cycle for Adobe Commerce.
Adobe Commerce customers received advance notice of the patch on Sept. 4, but it appears Magento Open Source users were not alerted. Magento powers more than 150,000 active e-commerce websites and has a long history of being targeted by hackers. Adobe Commerce, built on Magento, supports more than 200,000 enterprise ecommerce sites.
“Magento and Adobe Commerce are no strangers to threat actors, given their widespread use for powering ecommerce stores and handling payment card data,” Benjamin Harris, CEO of security firm watchTowr, told CSO. “We can expect serious vulnerabilities like this one to enable Magecart-style attacks and payment data theft. Given the history of in-the-wild exploitation against Magento and the emergency nature of this update, we strongly urge organizations to patch immediately.”
Magecart refers to a class of attacks in which hackers compromise online stores and inject malicious scripts into payment forms to steal customer payment card data during checkout. These scripts, also known as web skimmers, have been used by multiple attacker groups, but the term Magecart derives from Magento, one of the first platforms targeted with this technique through vulnerable extensions.
While web skimming and form-jacking dominated the ecommerce threat landscape between 2010 and 2020, Magecart-style attacks remain active. Ecommerce security firm Sansec reports adding on average 30 new web skimming signatures per day last year.
Exploitation via Magento’s REST API
Adobe’s advisory describes the flaw as a security feature bypass but provides few technical details to avoid aiding attackers. The vulnerability carries a CVSS score of 9.1 out of 10, underscoring its severity.
Researchers at Sansec were able to identify and replicate the issue. In addition to enabling account takeover, the flaw can lead to remote code execution when file-based session storage is used.
“While we cannot disclose technical details that could aid attackers, the vulnerability follows a familiar pattern from last year’s CosmicSting attack,” Sansec researchers noted in their report. “The attack combines a malicious session with a nested deserialization bug in Magento’s REST API.”
CosmicSting (CVE-2024-34102) was one of the most severe Magento flaws in recent years, allowing attackers to read any site files, including those containing sensitive credentials. A common exploitation method involved stealing the site’s secret cryptographic key from app/etc/env.php and injecting malicious JavaScript via the REST API to harvest customer data.
Adobe stated in its advisory that no active exploitation of SessionReaper has been observed so far. However, given the history of Magento and Adobe Commerce vulnerabilities, this could change quickly.
“SessionReaper is among the most severe Magento vulnerabilities to date, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),” Sansec warned. “Each time, thousands of stores were compromised, sometimes within hours of disclosure.”
No Responses