CVE-2025-54236 “SessionReaper” in Adobe Commerce/Magento: Critical REST API Flaw Enables Account Takeover

CyberSecureFox 🦊

A critical vulnerability tracked as CVE-2025-54236 and informally dubbed SessionReaper impacts Adobe Commerce and Magento, earning a CVSS 9.1 severity. According to Adobe and researchers at Sansec, the bug allows unauthenticated account takeover via the Commerce REST API. Adobe has released patches, and a temporary WAF rule is active for Adobe Commerce on Cloud customers; however, prompt patching remains essential.

What the “SessionReaper” vulnerability enables

The issue stems from improper server-side handling of session data when processing specific REST API calls. Under certain conditions, an attacker can hijack a user’s active session—effectively stealing the login state—and then access the victim’s account without valid credentials. In simple terms, it’s a session hijacking path exposed through the API surface, which is a high-value target in modern commerce architectures.

Affected platforms and configurations

The risk is pronounced where sessions are stored on the filesystem, which is the default and common in production deployments. Filesystem-backed sessions are harder to centrally control compared to in-memory stores like Redis. Adobe Commerce on Cloud customers benefit from an automatically deployed WAF rule to mitigate exploitation attempts, but installing the official patch is still mandatory for full remediation.

Timeline and current exploitation status

Adobe notified select Commerce customers on September 4 about an impending fix and released updates on September 9. Sansec reports no confirmed in-the-wild exploitation at the time of writing. However, a leaked hotfix surfaced last week, which increases the likelihood of rapid exploit development and automation by botnets and mass scanners.

Why this is high-impact for e-commerce security

REST APIs are a core attack surface and feature prominently in the OWASP API Security Top 10. Past Magento-focused campaigns—such as Shoplift, TrojanOrder, CosmicSting, and Ambionics’ SQLi findings—demonstrate how session forgery, privilege escalation, and code execution have been leveraged for skimming scripts and payment data theft. A CVSS 9.1, unauthenticated vector that targets the API layer is likely to be incorporated quickly into mass automated attacks.

Immediate mitigation and hardening guidance

1) Patch without delay. Back up, test in staging, and roll out the official Adobe updates. Adobe warns the fix disables certain internal Magento features, which may impact custom modules and integrations—plan regression tests accordingly.

2) Strengthen session management. Migrate session storage from the filesystem to a centralized backend like Redis. Enforce short TTLs for guest sessions, regenerate session IDs on privilege changes, and invalidate sessions after updates to critical attributes (e.g., email, password, payment methods).

3) Harden the REST API perimeter. Enable or update WAF rules, apply rate limiting, behavioral anomaly filtering, and geofencing for sensitive endpoints. Where feasible, implement IP allowlists for administrative APIs and restrict unused routes.

4) Enhance monitoring and response. Review logs for spikes in API calls, authorization errors, and unusual request patterns. Rotate API tokens, and consider forced reauthentication for users if compromise is suspected. Configure SIEM alerts for indicators of session substitution or token reuse anomalies.

5) Communicate with customers. If you enforce logout or rotate sessions, notify users and encourage two-factor authentication wherever available to reduce account takeover risk.

Expert assessment and operational priorities

The combination of a high CVSS score, no-auth attack path, and API exposure makes SessionReaper an attractive target for opportunistic scanning and botnet exploitation. Even absent confirmed field exploitation, the hotfix leak meaningfully shortens the path from proof-of-concept to weaponization. Organizations should minimize the exposure window by patching immediately, moving off filesystem sessions, tightening API defenses, and validating business-critical integrations affected by Magento’s internal changes post-patch.

Swift, coordinated action—patching, session hardening, API rate-limiting, and targeted monitoring—will materially reduce the risk of automated account takeovers, data theft, and downstream financial and reputational losses. Treat this as a priority change window and validate controls against realistic attack sequences to ensure resilience.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.