SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236)
by Sansec Forensics Team - sansec.io Published in Threat Research − September 08, 2025 Adobe released an out-of-band emergency patch for SessionReaper (CVE-2025-54236). The bug may hand control of a store to unauthenticated attackers. Automated abuse is expected and merchants should act immediately. Article updated: Sep 9th, 2025 13:48 UTC Adobe broke their regular release schedule to publish a fix for a critical (9.1) flaw in all versions of Adobe Commerce and Magento. The bug, dubbed SessionReaper and assigned CVE-2025-54236, allows customer account takeover and unauthenticated remote code execution under certain conditions. Sansec was able to simulate the attack and so may less benign parties. It does not help that the Adobe patch was accidentally leaked last week, so bad actors may already be working on the exploit code. Adobe's official advisory describes the impact as "an attacker could take over customer accounts," which does not mention the risk of remote code execution. The vulnerability researcher who discovered CVE-2025-54236 confirmed this on Slack: "Blaklis BTW, this is a potential preauth RCE, whatever the bulletin is saying. Please patch ASAP" SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024). Each time, thousands of stores got hacked, sometimes within hours of the flaw being published. Timeline Aug 22nd: Adobe internally discusses emergency fix Sep 4th: Adobe privately announces emergency fix to selected Commerce customers Sep 9th: Adobe releases emergency patch for SessionReaper - CVE-2025-54236 in APSB25-88 What merchants should do If you are already using Sansec Shield, you are protected against this attack. If you are not using Sansec Shield, you should test and deploy the patch as soon as possible. Because the patch disables internal Magento functionality, chances are that some of your custom/external code will break. Adobe published a developer guide with instructions. If you cannot safely apply the patch within the next 24 hours, you should activate a WAF for immediate protection. Only two WAFs block this attack right now: Adobe Fastly and Sansec Shield. If you did deploy the patch but not within 24 hours of publication, we recommend to run a malware scanner like eComscan to find any signs of compromise on your system. We also recommend to rotate your secret crypt key, as leaking it would allow attackers to update your CMS blocks indefinitely. How the attack works Our security team successfully reproduced one possible avenue to exploit SessionReaper, but there are likely multiple vectors. While we cannot disclose technical details that could aid attackers, the vulnerability follows a familiar pattern from last year's CosmicSting attack. The attack combines a malicious session with a nested deserialization bug in Magento's REST API. The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability. Active exploitation Sansec tracks ecommerce attacks in real-time around the globe. We have not seen any active abuse yet but will update this section when we do. Follow live ecommerce attacks here. Acknowledgements Credits to Blaklis for discovering the flaw. Thanks to Scott Robinson, Pieter Hoste and Tu Van for additional research. Sansec is not affiliated with Adobe and runs unbiased security research across the eCommerce ecosystem. Sansec protects 10% of all Magento stores worldwide.
