A critical security vulnerability, tracked as CVE-2025-54236 (with a CVSS score of 9.1) is also known as “SessionReaper”. This vulnerability has been uncovered in Adobe Commerce and Magento Open Source. The flaw could allow cybercriminals to takeover customer accounts, putting sensitive data at risk. In response to the threat, Adobe has rushed out an emergency patch outside its regular update schedule to protect users. Review the details in this Cybersecurity Threat Advisory to reduce your risk from these vulnerabilities.
What is the threat?
The SessionReaper vulnerability (CVE-2025-54236) arises from improper input validation within the Magento Web API. Specifically, the API fails to enforce strict parameter-type validation, enabling attackers to supply crafted inputs that bypass expected data type checks. This flaw allows the injection of malicious payloads, which can trigger unauthorized API calls and perform privileged actions without authentication. Exploitation is zero-click, requiring no user interaction, which significantly increases the attack surface and risk of automated exploitation.
This flaw impacts on a wide range of Adobe Commerce and Magento Open-Source versions, including:
- Adobe Commerce (all deployment methods): versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier
- Adobe Commerce B2B: versions 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier
- Magento Open Source: versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier
- Custom Attributes Serializable module: Versions 0.1.0 to 0.4.0
Why is this noteworthy?
The SessionReaper flaw ranks among the most severe vulnerabilities ever discovered in Magento, standing alongside high-profile threats such as Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024). In a rare move, Adobe departed from its standard release schedule to issue patches for all supported versions of Adobe Commerce and Magento, underscoring the urgency and potentially far-reaching impact of the vulnerability.
What is exposure or risk?
Attackers can exploit the SessionReaper vulnerability to bypass input validation in the Magento Web API. This allows for automated account takeover, data theft, and fraudulent orders, even without valid session tokens.
This flaw impacts on a wide range of Adobe Commerce and Magento Open-Source versions, including:
- Adobe Commerce (all deployment methods): versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier
- Adobe Commerce B2B: versions 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier
- Magento Open Source: versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier
- Custom Attributes Serializable module: Versions 0.1.0 to 0.4.0
What are the recommendations?
Barracuda recommends the following actions to mitigate your risk:
- Apply Adobe’s official patch immediately to fix the improper input validation flaw and block session takeover attempts.
- For Adobe Commerce on Cloud users – confirm that Web Application Firewall (WAF) rules are fully up-to-date.
- Monitor system and API logs for unusual or suspicious Web API requests that may indicate exploitation attempts.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.