{"id":1520,"date":"2025-09-09T11:24:57","date_gmt":"2025-09-09T11:24:57","guid":{"rendered":"https:\/\/risecommerce.com\/blog\/?p=1520"},"modified":"2025-09-09T12:33:52","modified_gmt":"2025-09-09T12:33:52","slug":"critical-vulnerability-in-magento-sessionreaper-cve-2025-54236-update-before-its-too-late","status":"publish","type":"post","link":"https:\/\/risecommerce.com\/blog\/critical-vulnerability-in-magento-sessionreaper-cve-2025-54236-update-before-its-too-late\/","title":{"rendered":"Critical Vulnerability in Magento: SessionReaper (CVE-2025-54236) \u2013 Update before it’s too Late"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">The effect of a critical zero-day vulnerability has been experienced on Magento and Adobe Commerce, which is called SessionReaper (CVE-2025-54236). According to security experts, this vulnerability is one of the most serious Magento bugs that has ever been found.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Adobe has affirmed that it will issue an emergency patch on September 9, 2025, not as part of its regular patching practice. This leaves no doubt as to how harmful this bug is. This patch is on the low profile, unlike the regular updates, to reduce early exploitation efforts.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Hopefully, the official patch and information will be posted tomorrow on the Adobe security advisory page:<\/span><\/p>\n<p><a href=\"https:\/\/helpx.adobe.com\/security\/products\/magento.html\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">Adobe Security Bulletin \u2013 Magento<\/span><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><b>What is SessionReaper?<\/b><\/p>\n<p><span style=\"font-weight: 400;\">SessionReaper (CVE-2025-54236) is a vulnerability in the WebAPI ServiceInputProcessor in Magento, which was found by the researchers at Sansec.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Concisely, attackers can develop malicious API requests to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Steal user or administrative accounts.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Steal session tokens and masquerade as users.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Bypass passwords entirely<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Hack into Magento administrators.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">This vulnerability allows account takeover attacks at scale, a direct attack on the trust, financial information, and reputation of your customers and your business.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Why is this VERY Dangerous?<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Sansec reports that:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">SessionReaper is one of the worst vulnerabilities of Magento in history.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">It can be compared to other notorious attacks, such as Shoplift (2015) and Ambionics (2019), that have invaded thousands of stores in just hours.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Automated exploit tools are likely to be released soon after the attackers know the specifications.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">That is why Adobe released this fix early, to release it as an emergency.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>What You Must Do:<\/b><\/p>\n<ol>\n<li><span style=\"font-weight: 400;\"> Apply the Patch Immediately<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Install the fix immediately when Adobe publishes it. The patch will probably be posted on the<\/span><a href=\"https:\/\/helpx.adobe.com\/security\/products\/magento.html\" rel=\"nofollow noopener\" target=\"_blank\"> <span style=\"font-weight: 400;\">Adobe Security Bulletin \u2013 Magento<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<ol start=\"2\">\n<li><span style=\"font-weight: 400;\"> Movable Stopgaps (not foolproof)<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">In case you are unable to patch in real-time:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Shut down or block unsafe API endpoints.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Keep watch on the activity and logins during the session and note irregularities.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Note: There is only one real solution to use the official patch.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>RiseCommerce Can Protect Your Store within Hours.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We are offering emergency Magento patching and upgrading services at RiseCommerce to assist eCommerce businesses in responding swiftly in such instances.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Patch in Just a Few Hours- deploy fast to secure your site in a few hours.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Minimum Downtime – your store is running and secure.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Certified Experts – Relied on by businesses to get repairs done quickly.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Don\u2019t wait. One unpatched vulnerability can result in stolen customer data, a scam, or a full store compromise.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Contact RiseCommerce Today<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Get proactive in that you do not allow attackers to use SessionReaper in your store.<\/span><\/p>\n<p><b>Email: <\/b><span style=\"font-weight: 400;\">support@risecommerce.com<\/span><\/p>\n<p><b>WhatsApp:<\/b> <b>+91 98393 74777<\/b><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">“Our staff is ready to install the patch (CVE-2025-54236) SessionReaper and make sure that your business remains secure.”<\/span><\/p>\n<p><b>Act now – <\/b><span style=\"font-weight: 400;\">This is a major vulnerability that is under active observation, and there is a reason why patches are going out earlier than planned.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\"><b>\u201cProtect your store, your customers, and your brand.\u201d<\/b><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The effect of a critical zero-day vulnerability has been experienced on Magento and Adobe Commerce, which is called SessionReaper (CVE-2025-54236). According to security experts, this vulnerability is one of the most serious Magento bugs that has ever been found. Adobe has affirmed that it will issue an emergency patch on September 9, 2025, not as [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1519,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1520","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/posts\/1520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/comments?post=1520"}],"version-history":[{"count":5,"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/posts\/1520\/revisions"}],"predecessor-version":[{"id":1527,"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/posts\/1520\/revisions\/1527"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/media\/1519"}],"wp:attachment":[{"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/media?parent=1520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/categories?post=1520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/risecommerce.com\/blog\/wp-json\/wp\/v2\/tags?post=1520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}