{"id":14769,"date":"2025-09-10T18:35:22","date_gmt":"2025-09-10T18:35:22","guid":{"rendered":"https:\/\/newestek.com\/?p=14769"},"modified":"2025-09-10T18:35:22","modified_gmt":"2025-09-10T18:35:22","slug":"adobe-commerce-and-magento-users-patch-critical-sessionreaper-flaw-now","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14769","title":{"rendered":"Adobe Commerce and Magento users: Patch critical SessionReaper flaw now"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Adobe issued an emergency patch for one of the most severe vulnerabilities ever discovered in the Magento Open Source ecommerce platform and Adobe Commerce, its enterprise counterpart. The flaw allows unauthenticated attackers to hijack user accounts and, in some cases, execute arbitrary code on servers.<\/p>\n<p>Tracked as CVE-2025-54236 and dubbed SessionReaper by the security community, the vulnerability was privately reported to Adobe by an external researcher. The company deemed it serious enough <a href=\"https:\/\/helpx.adobe.com\/security\/products\/magento\/apsb25-88.html\">to release an out-of-band patch<\/a>, breaking its regular two-month update cycle for Adobe Commerce.<\/p>\n<p>Adobe Commerce customers received advance notice of the patch on Sept. 4, but it appears Magento Open Source users were not alerted. Magento powers more than 150,000 active e-commerce websites and has a long history of being targeted by hackers. Adobe Commerce, built on Magento, supports more than 200,000 enterprise ecommerce sites.<\/p>\n<p>\u201cMagento and Adobe Commerce are no strangers to threat actors, given their widespread use for powering ecommerce stores and handling payment card data,\u201d Benjamin Harris, CEO of security firm watchTowr, told CSO. \u201cWe can expect serious vulnerabilities like this one to enable Magecart-style attacks and payment data theft. Given the history of in-the-wild exploitation against Magento and the emergency nature of this update, we strongly urge organizations to patch immediately.\u201d<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/567335\/what-is-magecart-how-this-hacker-group-steals-payment-card-data.html\">Magecart<\/a> refers to a class of attacks in which hackers compromise online stores and inject malicious scripts into payment forms to steal customer payment card data during checkout. These scripts, also known as web skimmers, have been used by multiple attacker groups, but the term Magecart derives from Magento, one of the first platforms targeted with this technique through vulnerable extensions.<\/p>\n<p>While web skimming and form-jacking dominated the ecommerce threat landscape between 2010 and 2020, <a href=\"https:\/\/www.csoonline.com\/article\/567059\/magecart-payment-card-skimmer-gang-returns-stronger-than-ever.html\">Magecart-style attacks<\/a> remain active. Ecommerce security firm Sansec reports adding\u00a0 on average 30 new web skimming signatures per day last year.<\/p>\n<h2 class=\"wp-block-heading\" id=\"exploitation-via-magentos-rest-api\">Exploitation via Magento\u2019s REST API<\/h2>\n<p>Adobe\u2019s advisory describes the flaw as a security feature bypass but provides few technical details to avoid aiding attackers. The vulnerability carries a CVSS score of 9.1 out of 10, underscoring its severity.<\/p>\n<p>Researchers at Sansec were able to identify and replicate the issue. In addition to enabling account takeover, the flaw can lead to remote code execution when file-based session storage is used.<\/p>\n<p>\u201cWhile we cannot disclose technical details that could aid attackers, the vulnerability follows a familiar pattern from last year\u2019s CosmicSting attack,\u201d Sansec researchers noted in <a href=\"https:\/\/sansec.io\/research\/sessionreaper\">their report<\/a>. \u201cThe attack combines a malicious session with a nested deserialization bug in Magento\u2019s REST API.\u201d<\/p>\n<p>CosmicSting (CVE-2024-34102) was one of the <a href=\"https:\/\/www.csoonline.com\/article\/3546884\/hackers-steal-sensitive-customer-data-from-thousands-of-online-stores-that-use-adobe-tools.html\">most severe Magento flaws in recent years<\/a>, allowing attackers to read any site files, including those containing sensitive credentials. A common exploitation method involved stealing the site\u2019s secret cryptographic key from <code>app\/etc\/env.php<\/code> and injecting malicious JavaScript via the REST API to harvest customer data.<\/p>\n<p>Adobe stated in its advisory that no active exploitation of SessionReaper has been observed so far. However, given the history of Magento and Adobe Commerce vulnerabilities, this could change quickly.<\/p>\n<p>\u201cSessionReaper is among the most severe Magento vulnerabilities to date, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),\u201d Sansec warned. \u201cEach time, thousands of stores were compromised, sometimes within hours of disclosure.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Adobe issued an emergency patch for one of the most severe vulnerabilities ever discovered in the Magento Open Source ecommerce platform and Adobe Commerce, its enterprise counterpart. The flaw allows unauthenticated attackers to hijack user accounts and, in some cases, execute arbitrary code on servers. Tracked as CVE-2025-54236 and dubbed SessionReaper by the security community, the vulnerability was privately reported to Adobe by an external&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14769\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14769","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14769","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14769"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14769\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}