Threat researchers from the Sansec Forensics Team have warned about a critical vulnerability in Adobe Commerce and Magento, an open-source e-commerce platform owned by Adobe.
In a report published on September 8, Sansec warned that the flaw, dubbed SessionReaper, could allow customer account takeover and unauthenticated remote code execution (RCE) under certain conditions.
It was detected in August on the bug bounty platform HackerOne by a security researcher known as ‘Blaklis.’
“Each time, thousands of stores got hacked, sometimes within hours of the flaw being published,” the Sansec researchers wrote.
The Sansec report claimed that Adobe discussed an emergency fix internally in August, then announced it to selected Commerce customers in early September.
However, the Sansec report noted that the Adobe patch was accidentally leaked in early September, “so bad actors may already be working on the exploit code.”
Adobe Releases Emergency Patch
Adobe released an emergency patch on September 9 in its APSB25-88 security advisory, assigning the flaw a CVE identifier (CVE-2025-542360) and a CVSS rating of 9.1
The CVE entry noted that CVE-2025-542360 (aka SessionReaper) is a critical improper input validation flaw affecting Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and all prior releases.
The Adobe advisory also noted that if exploited, this vulnerability could allow an attacker to hijack active user sessions, resulting in severe compromises to both confidentiality and data integrity.
However, the Sansec researchers highlighted that neither the CVE entry nor the Adobe advisory mentions the risk of remote code execution, which has been confirmed by Blaklis on Slack.
According to the Sansec report, SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024).
Neither Adobe nor Sansec has detected any evidence of active exploitation of the SessionReaper vulnerability in the wild at the time of writing.
How to Patch and Mitigate SessionReaper
The Sansec researchers have confirmed that users already protected by Sansec Shield are safeguarded against this Adobe Commerce vulnerability.
For those without this protection, they strongly advised testing and deploying the official patch immediately. However, they cautioned that it may disrupt custom or third-party integrations due to changes in internal Magento functionality. Adobe has provided a developer guide to assist with implementation.
If patching cannot be completed within 24 hours of disclosure, Sansec recommended enabling a Web Application Firewall (WAF) as an emergency measure.
For users who applied the patch after the 24-hour window, Sansec researchers urged running a malware scan to check for potential compromise.
Additionally, they recommended rotating the secret cryptographic key, as exposure could allow attackers to persistently manipulate CMS blocks. Immediate action is critical to mitigate risks associated with this high-severity flaw.
