The effect of a critical zero-day vulnerability has been experienced on Magento and Adobe Commerce, which is called SessionReaper (CVE-2025-54236). According to security experts, this vulnerability is one of the most serious Magento bugs that has ever been found.
Adobe has affirmed that it will issue an emergency patch on September 9, 2025, not as part of its regular patching practice. This leaves no doubt as to how harmful this bug is. This patch is on the low profile, unlike the regular updates, to reduce early exploitation efforts.
Hopefully, the official patch and information will be posted tomorrow on the Adobe security advisory page:
Adobe Security Bulletin – Magento
What is SessionReaper?
SessionReaper (CVE-2025-54236) is a vulnerability in the WebAPI ServiceInputProcessor in Magento, which was found by the researchers at Sansec.
Concisely, attackers can develop malicious API requests to:
- Steal user or administrative accounts.
- Steal session tokens and masquerade as users.
- Bypass passwords entirely
- Hack into Magento administrators.
This vulnerability allows account takeover attacks at scale, a direct attack on the trust, financial information, and reputation of your customers and your business.
Why is this VERY Dangerous?
Sansec reports that:
- SessionReaper is one of the worst vulnerabilities of Magento in history.
- It can be compared to other notorious attacks, such as Shoplift (2015) and Ambionics (2019), that have invaded thousands of stores in just hours.
- Automated exploit tools are likely to be released soon after the attackers know the specifications.
That is why Adobe released this fix early, to release it as an emergency.
What You Must Do:
- Apply the Patch Immediately
Install the fix immediately when Adobe publishes it. The patch will probably be posted on the Adobe Security Bulletin – Magento.
- Movable Stopgaps (not foolproof)
In case you are unable to patch in real-time:
- Shut down or block unsafe API endpoints.
- Keep watch on the activity and logins during the session and note irregularities.
Note: There is only one real solution to use the official patch.
RiseCommerce Can Protect Your Store within Hours.
We are offering emergency Magento patching and upgrading services at RiseCommerce to assist eCommerce businesses in responding swiftly in such instances.
- Patch in Just a Few Hours- deploy fast to secure your site in a few hours.
- Minimum Downtime – your store is running and secure.
- Certified Experts – Relied on by businesses to get repairs done quickly.
Don’t wait. One unpatched vulnerability can result in stolen customer data, a scam, or a full store compromise.
Contact RiseCommerce Today
Get proactive in that you do not allow attackers to use SessionReaper in your store.
Email: [email protected]
WhatsApp: +91 98393 74777
“Our staff is ready to install the patch (CVE-2025-54236) SessionReaper and make sure that your business remains secure.”
Act now – This is a major vulnerability that is under active observation, and there is a reason why patches are going out earlier than planned.
“Protect your store, your customers, and your brand.”


