SessionReaper flaw patched in Magento after critical security alert - ShiftDelete.Net Global

ShiftDelete.net
FOLLOW US

SessionReaper flaw patched in Magento after critical security alert

Adobe patched a critical Magento flaw named SessionReaper that could let attackers hijack accounts via the REST API without authentication.

SessionReaper-1

Adobe has patched a major vulnerability in Magento, warning that attackers could exploit it to hijack user sessions without needing to log in. The bug dubbed SessionReaper was considered one of the most severe flaws ever found in the platform.

SessionReaper flaw gave attackers a direct path into accounts

SessionReaper-2

Filed under CVE-2025-54236, the vulnerability impacts both Adobe Commerce and Magento Open Source. Security researchers at Sansec say the bug could allow full account takeover by abusing Magento’s REST API. Worse, it didn’t require any user interaction or credentials.

The flaw appears to rely on Magento’s default setup, which stores session data on the file system. That configuration is still widely used by merchants, increasing the potential scope of the attack.

Meta Connect 2025: Four big announcements we’re likely to see

Meta Connect 2025: Four big announcements we’re likely to see

Meta Connect 2025 could unveil Hypernova smart glasses, AI upgrades, third-party app support, and Horizon OS improvements.

Adobe released a patch, but not before a leak

While Adobe officially released the fix on September 9, select Commerce customers were notified five days earlier. Adobe also deployed a temporary web application firewall (WAF) rule for cloud-hosted stores to help mitigate risk.

However, Sansec says a version of the hotfix leaked early, potentially giving attackers a head start on developing real-world exploits.

Adobe emphasized the urgency in its updated advisory:

“Please apply the hotfix as soon as possible. If you fail to do so, you will be vulnerable to this security issue, and Adobe will have limited means to help remediate.”

SessionReaper joins the list of serious Magento exploits

While there’s no evidence of active exploitation yet, Sansec warns this flaw could be weaponized at scale, using automated tools to target large numbers of vulnerable sites.

Other high-profile Magento vulnerabilities include:

  • CosmicSting – a session forging bug from 2024
  • TrojanOrder – exploited for privilege escalation
  • Ambionics SQLi – allowed database access
  • Shoplift – enabled full remote code execution

Magento store owners urged to patch immediately

Administrators are advised to test the fix before deployment, as it disables internal Magento functions that could break custom or third-party code. Adobe has updated documentation to reflect changes in the Commerce REST API constructor injection methods.

SessionReaper may be silent for now, but with early code leaks and its critical impact, the clock is ticking for Magento users to patch or risk losing control of their stores.

adobe
leak
Magento
Session Reaper

SDN Comments 0 Comments

Comment

HOW TOAll

Related News

The new Ferrari Testarossa will break horsepower records
The new Ferrari Testarossa will break horsepower records
OnePlus may offer a 165Hz display for its flagship!
OnePlus may offer a 165Hz display for its flagship!
OPPO Find X9 and X9 Pro battery capacities confirmed!
OPPO Find X9 and X9 Pro battery capacities confirmed!
The world’s best-selling PlayStation games revealed
The world’s best-selling PlayStation games revealed

SDN Network

Sihirli Elma Yeşil Robot Tech Inside Pembe Teknoloji Future Flow Life

SDN.net

1250 BORREGAS AVENUE, #40, SUNNYVALE, CA
94089 ShiftDelete.Net LLC

info@shiftdelete.net

Shiftdelete.Net is a member of the Association of Internet Media and IT Reporters.

Desteklio