Critical Magento Vulnerability ‘SessionReaper’ Threatens Thousands of Online Stores
A significant security flaw, known as SessionReaper and designated as CVE-2025-54236, has been identified in Adobe’s Magento e-commerce platform. This vulnerability allows attackers to hijack user sessions and potentially execute malicious code remotely, posing a severe risk to online retailers worldwide.
Discovery and Initial Response
The vulnerability was first brought to light on September 9, 2025, when Adobe released an emergency security bulletin accompanied by patches to address the issue. At that time, the flaw was rated as critical due to its potential for unauthorized access. The situation escalated on October 22, 2025, when security researchers at Sansec publicly disclosed a proof-of-concept exploit, leading to a surge in attack attempts. ([cybersecuritynews.com](https://cybersecuritynews.com/magento-input-validation-vulnerability/amp/?utm_source=openai))
Technical Details of SessionReaper
SessionReaper arises from inadequate validation of user inputs within Magento’s authentication mechanisms. By manipulating session data, attackers can impersonate legitimate users, gaining control over administrative panels or customer accounts without needing valid credentials. More concerning is that advanced exploitation techniques demonstrated in the public proof-of-concept enable unauthenticated remote code execution (RCE). This capability allows intruders to upload malicious scripts directly to servers, potentially leading to the theft of sensitive data, such as payment information, or the installation of backdoors for prolonged access. ([cybersecuritynews.com](https://cybersecuritynews.com/magento-input-validation-vulnerability/amp/?utm_source=openai))
Scope and Impact
The vulnerability affects multiple versions of Adobe Commerce and Magento Open Source, including those that have not yet received the latest patches. With a Common Vulnerability Scoring System (CVSS) score of 9.8, the severity of SessionReaper is underscored by its high impact on confidentiality, integrity, and availability, with no privileges required for initial access. E-commerce operators running unpatched systems face immediate risks, as attackers need only a crafted request to initiate the hijack. ([cybersecuritynews.com](https://cybersecuritynews.com/magento-input-validation-vulnerability/amp/?utm_source=openai))
Exploitation in the Wild
Following the public release of the proof-of-concept exploit, Akamai’s security team detected the first waves of exploitation. In just 48 hours starting October 22, attackers launched over 300 probes against more than 130 unique hosts, originating from 11 distinct IP addresses. These attacks included sophisticated payloads like web shells—malicious scripts that grant persistent server control—and basic reconnaissance tools such as phpinfo queries to map server environments or echo commands to test injection success. ([cybersecuritynews.com](https://cybersecuritynews.com/magento-input-validation-vulnerability/amp/?utm_source=openai))
Mitigation Measures
Akamai’s Adaptive Security Engine, part of its App & API Protector suite, has been blocking these attempts by default. Existing rules targeting PHP web shell uploads have neutralized threats without customer intervention. The company’s Security Intelligence Group continues to monitor developments, refining protections as new tactics emerge. ([cybersecuritynews.com](https://cybersecuritynews.com/magento-input-validation-vulnerability/amp/?utm_source=openai))
Experts emphasize that while web application firewalls like Akamai’s provide a crucial layer of defense, the most reliable safeguard remains applying Adobe’s patches promptly. With Magento’s vast user base, unpatched sites could become easy prey for ransomware or data theft campaigns. Organizations should scan their environments immediately, update to the latest versions, and enable robust input validation to thwart SessionReaper and similar flaws. ([cybersecuritynews.com](https://cybersecuritynews.com/magento-input-validation-vulnerability/amp/?utm_source=openai))
Historical Context
The severity of SessionReaper is being compared to past significant Magento vulnerabilities, such as Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024). Each of these historical flaws led to the compromise of thousands of e-commerce sites, with threat actors often exploiting them within hours of public disclosure. This history has put the Magento and Adobe Commerce communities on high alert, emphasizing the need for immediate action. ([cybersecuritynews.com](https://cybersecuritynews.com/sessionreaper-vulnerability/?utm_source=openai))
Call to Action
Merchants are urged to apply the official patch from Adobe without delay. The updates are available on Adobe’s security bulletin webpage. The leaked patch, titled MCLOUD-14016 patch for CVE-2025-54236 webapi improvement, suggests the vulnerability is located in the `Webapi/ServiceInputProcessor.php` file. The fix appears to restrict the types of data that can be processed through the API, allowing only simple types or authorized API Data Objects. ([cybersecuritynews.com](https://cybersecuritynews.com/sessionreaper-vulnerability/?utm_source=openai))
Conclusion
The discovery and exploitation of the SessionReaper vulnerability highlight the ongoing risks to online retailers. With over 250 Magento stores reportedly compromised overnight as threat actors ramp up their efforts ahead of the holiday shopping season, it is imperative for all Magento users to take immediate action. Applying the necessary patches and implementing robust security measures can help protect against this and future vulnerabilities. ([cybersecuritynews.com](https://cybersecuritynews.com/magento-input-validation-vulnerability/amp/?utm_source=openai))
