Adobe Commerce and Magento Open Source recently faced one of the most severe security vulnerabilities in their platform's history, tracked as CVE-2025-54236. This critical flaw has prompted Adobe to break its regular update cycle to release an emergency patch on September 9, 2025, under Security Bulletin APSB25-88. In response to the issue, On Tap took immediate action, updating clients’ servers as soon as 30 minutes after the patch was released. Continue reading this blog to explore the SessionReaper vulnerability, Adobe’s rapid emergency response, and essential actions merchants should take.
What is SessionReaper (CVE-2025-54236)?
"SessionReaper," or CVE-2025-54236, is an improper input validation vulnerability affecting the Web API ServiceInputProcessor in Adobe Commerce and Magento. The flaw allows unauthenticated attackers to submit malicious API requests that bypass security controls due to insufficient sanitisation and validation of nested objects passed through REST, GraphQL, or SOAP API endpoints.
Imagine when you log into an online store, the site gives you a special "session key"—like a temporary ID card—that says "this is really this customer." SessionReaper is the bug that lets hackers grab or create fake versions of those session keys without needing a password. That means they can pretend to be any customer, getting access to that customer's account, orders, and personal info.
Why is SessionReaper critical?
This vulnerability poses a noteworthy risk as it could allow unauthorised access to customer accounts and sensitive data if left unpatched. The exploit does not require a login or user action, making it easier for attackers to attempt. It allows them to take over customer sessions remotely, potentially accessing order and personal information. In some cases, it might also let attackers run code on the server, but this depends on certain system setups.
While no widespread attacks have been observed yet, the early release of the patch means attackers may develop automated tools soon. Compared to previous Magento issues such as Shoplift (2015) and CosmicSting (2024), SessionReaper is seen as a serious but manageable vulnerability if addressed quickly.
Recognising the critical nature of the issue, On Tap acted immediately, updating clients’ servers as quickly as 30 minutes after Adobe released the emergency patch. Our team conducted thorough regression testing to ensure the patch caused no negative impact on custom code or integrations, providing clients with a seamless and secure update experience.
Affected Magento/Adobe Commerce versions
This vulnerability affects a wide range of Adobe Commerce and Magento versions and products, including:
| Adobe Commerce | Versions up to 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, and 2.4.4-p15 |
| Adobe Commerce B2B | Versions up to 1.5.3-alpha2, 1.5.2-p2, 1.4.2-p7, 1.3.4-p14, and 1.3.3-p15 |
| Magento Open Source | Versions up to 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, and 2.4.5-p14 |
| Custom Attributes Serializable module | Versions 0.1.0 to 0.4.0 |
Adobe’s emergency response to the issue
Upon discovery of CVE-2025-54236, Adobe released an out-of-band hotfix VULN-32437-2-4-X-patch ahead of their normal quarterly update schedule to address this critical vulnerability.
The emergency patch, released on September 9, 2025, introduces stricter input validation and enhanced parameter type checks within the Web API ServiceInputProcessor. This prevents attackers from submitting malicious payloads that previously bypassed security controls via REST, GraphQL, or SOAP API calls. By enforcing only recognised scalar types or valid API data objects, the patch closes the inappropriate input validation gap that enabled the exploit.
The patch covers affected Adobe Commerce versions ranging from 2.4.4-p15 up through 2.4.9-alpha2 and their related B2B and Open Source editions. For Commerce Cloud customers, Adobe has also rolled out Web Application Firewall (WAF) rules to provide additional real-time protection against attacks targeting this flaw.
What merchants should do
Merchants are strongly advised to apply Adobe’s emergency patch immediately to protect their stores, as automated exploit attempts are anticipated following the accidental leak of the patch last week. Prompt patching is critical to close the vulnerability and prevent potential unauthorised access.
After applying the patch, thorough testing is necessary since the update modifies core input validation and may affect custom extensions or third-party integrations. Merchants should monitor their systems closely for any unusual behaviour during this phase.
If it is not possible to install the patch right away, activating a Web Application Firewall (WAF) that blocks SessionReaper attacks is highly recommended as a temporary safeguard. Currently, Adobe Fastly and Sansec Shield are known to effectively block exploit attempts targeting this vulnerability.
Once the patch is deployed, security experts and Adobe recommend running comprehensive malware scans to detect any prior compromise. Additionally, rotating secret cryptographic keys is essential to prevent persistent unauthorised access, especially if attackers gained access before remediation.
Merchants should also keep up-to-date with security advisories from Adobe and trusted cybersecurity sources to apply any subsequent patches or mitigation steps as they become available.
Final notes
SessionReaper (CVE-2025-54236) is a wake-up call for all Magento and Adobe Commerce users to prioritise regular updates, security audits, and incident response preparedness. This vulnerability highlights the importance of stringent input validation and session management in eCommerce platforms where customer data and transactional integrity are paramount.
Ensure your Magento environment is patched and monitored — delaying could put your customers and business at high risk of takeover and data breaches. If you require assistance with patching or securing your Magento/Adobe Commerce environment against CVE-2025-54236, consider reaching out to professional security services specialised in Magento protection.
For robust security and peace of mind, On Tap’s Magento expert team can assist with seamless hotfix deployment and testing—applying critical security patches quickly and effectively while minimising disruption. We also offer AuditIQ, a powerful automated monitoring service that runs hundreds of security and performance checks every day, alerting you to unusual activity or potential threats in real time. Contact us to secure your online store with AuditIQ monitoring and professional hotfix implementation support.


