Adobe Commerce / Magento, improper input validation session takeover (SessionReaper)

Overview

CVE-2025-54236, nicknamed SessionReaper, is a critical (CVSS 9.1) improper input validation vulnerability in Adobe Commerce and Magento Open Source, the widely deployed e-commerce platform. A successful attacker can abuse the flaw to achieve session takeover, and security researchers have described an unauthenticated path to remote code execution through the Commerce REST API. Exploitation does not require user interaction. Adobe released security bulletin APSB25-88 with an emergency fix on September 9, 2025, the NVD publication date, rating the issue Critical and Priority 1. CISA added the CVE to its Known Exploited Vulnerabilities catalog on October 24, 2025, confirming exploitation in the wild.

Technical Details

The weakness is classified as CWE-20 (improper input validation). Insufficient validation of attacker-controlled input, reachable through the Commerce REST API, allows an attacker to take over customer sessions and, as researchers demonstrated, can be leveraged toward unauthenticated remote code execution under certain configurations. The CVSS base score on the NVD record is 9.1 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, scored by Adobe as the CNA, reflecting high impact to confidentiality and integrity with no user interaction required. Adobe shipped the remediation as an isolated hotfix (tracked internally as VULN-32437) in addition to the standard security release, enabling merchants to apply the fix without a full version upgrade. The affected baseline includes Adobe Commerce 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier, with the equivalent Magento Open Source patch levels.

Impact

• Session takeover of customer (and potentially privileged) accounts via the Commerce REST API.
• Researcher-demonstrated path to unauthenticated remote code execution under certain configurations.
• Compromise of storefront confidentiality and integrity, including customer and order data.
• Large-scale exposure, with a substantial share of Magento stores reported unpatched well after release.

Mitigation

1. Apply Adobe security bulletin APSB25-88 by upgrading to the fixed patch level above your affected version (for example 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, or 2.4.4-p16, per Adobe's release matrix).
2. If a full upgrade cannot be applied immediately, deploy Adobe's isolated SessionReaper hotfix (VULN-32437) for your version line as an interim remediation.
3. Restrict or closely monitor access to the Commerce REST API and rotate session secrets and customer sessions after patching.
4. Because exploitation is active, treat any unpatched, internet-facing store as potentially compromised: hunt for web shells and unauthorized changes, and conduct incident response if indicators are found.

Detection

Review web server and application logs for anomalous requests to the Commerce REST API, particularly requests with malformed or unexpected input structures, attempts to manipulate session identifiers, and traffic patterns consistent with the publicly discussed SessionReaper exploitation. Because the flaw enables session takeover, watch for sessions that change ownership characteristics abruptly (sudden source-IP, user-agent, or geo shifts on an authenticated session) and for privilege use that does not match a legitimate login. Given the demonstrated path toward remote code execution, also inspect the host for newly written PHP files or web shells in web-accessible directories, unexpected child processes spawned by the web or PHP-FPM workers, and anomalous outbound connections. Confirm whether the SessionReaper hotfix (VULN-32437) or the corresponding APSB25-88 patch level has been applied, since researchers reported that a large fraction of stores remained unpatched for an extended period, leaving them exposed. Correlate findings with Sansec and other responder-published indicators of compromise for SessionReaper and the associated exploitation campaigns. CISA added CVE-2025-54236 to the Known Exploited Vulnerabilities catalog on October 24, 2025; the catalog does not currently flag ransomware-campaign use, but with confirmed active exploitation, any store that was internet-facing while unpatched should undergo a full compromise assessment, including invalidating and rotating customer and administrative sessions, reviewing for unauthorized admin accounts and injected payment-skimming code, and verifying the integrity of the codebase. To operationalize this, confirm patch state across every environment first: verify whether the SessionReaper hotfix (VULN-32437) or the corresponding APSB25-88 patch level is present, since researchers reported a large share of stores remained unpatched for an extended period and therefore exposed. Because the flaw enables session takeover, instrument session telemetry to flag abrupt changes in the source IP, user-agent, or geolocation of an authenticated session, reuse of session identifiers across disparate clients, and privilege use that does not follow a legitimate login. Given the demonstrated path toward remote code execution, integrity-check the codebase against a trusted reference (version control or file-integrity monitoring) to surface modified PHP files, and inspect web-accessible directories for web shells. E-commerce platforms are a prime target for payment-skimming (Magecart-style) injection, so review checkout, template, and JavaScript assets for unauthorized changes and monitor egress for traffic to unfamiliar domains that could exfiltrate card or session data. Treat eradication as incomplete until the store is patched, customer and administrative sessions are invalidated and rotated, unauthorized admin accounts and injected skimmer code are removed, and the integrity of the codebase and payment flow is verified.