SessionReaper, a critical bug in Magento & Adobe Commerce (CVE-2025-54236)
by Sansec Forensics Team
Published in Threat Research − September 08, 2025
Adobe breaks their regular patch schedule and will release an emergency fix for CVE-2025-54236 within the next 24 hours. Automated abuse is expected and merchants should act immediately.
Adobe just announced an emergency patch release for Tuesday, September 9th. It fixes a critical issue that could not wait for the next patch cycle at October 14th.
This bug, dubbed SessionReaper, is among the most severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024). Each time, thousands of stores got hacked, sometimes within hours of the flaw being published.
Adobe provided advance notice to its Commerce customers but not to open source Magento users, leaving the latter community frustrated about the lack of prior warning for such a critical security update.
Timeline
- Aug 22nd: Adobe internally discusses emergency fix
- Sep 4th: Adobe privately announces emergency fix to Commerce customers
- Sep 9th: Adobe will release emergency patch for SessionReaper - CVE-2025-54236
What merchants should do
If you are already using Sansec Shield, you are protected against this attack!
If you are not using Sansec Shield, you should remain standby to test and deploy the patch as soon as it becomes available (likely at 14:00 UTC on Tuesday). Adobe updates will be published here. You can also follow Sansec on Linkedin for instant updates.
A concept patch from Adobe has been leaked and is currently circulating. It is called "MCLOUD-14016 patch for CVE-2025-54236 webapi improvement", but it is unclear whether this will be the final patch so use at your own risk.
diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
index ba58dc2bc7acf..06919af36d2eb 100644
--- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php
+++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
@@ -246,6 +246,13 @@ private function getConstructorData(string $className, array $data): array
if (isset($data[$parameter->getName()])) {
$parameterType = $this->typeProcessor->getParamType($parameter);
+ // Allow only simple types or Api Data Objects
+ if (!($this->typeProcessor->isTypeSimple($parameterType)
+ || preg_match('~\\\\?\w+\\\\\w+\\\\Api\\\\Data\\\\~', $parameterType) === 1
+ )) {
+ continue;
+ }
+
try {
$res[$parameter->getName()] = $this->convertValue($data[$parameter->getName()], $parameterType);
} catch (\ReflectionException $e) {
How the attack works
We will update this section once the patch is released.
Follow live ecommerce attacks here.
Acknowledgements
Thanks to Scott Robinson, Pieter Hoste and Tu Van for additional research.
Sansec is not affiliated with Adobe and runs unbiased security research across the Magento ecosystem. Sansec protects 10% of all Magento stores worldwide.
Read more
In this article
Patch on your own terms?
Protect your store from all known Magento attacks, while you postpone the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
