Patch Tuesday’s security bulletin at Adobe has been published and it includes a serious entry with the ID CVE-2025-54236, our CVE of the Week this week. The vulnerability dubbed SessionReaper affects Adobe Commerce and Magento, Adobe’s e-commerce solutions.

SessionReaper resides within Magento’s Web API input handling mechanism. It abuses the framework’s service input processor by bypassing parameter-type checks, allowing injection of complex objects that could lead to unauthorized administrative actions. The bug may hand control of a store to unauthenticated attackers – allows customer account takeover and unauthenticated remote code execution under certain conditions. Automated abuse is expected and merchants should act immediately.

The patched code now enforces stricter type validation, accepting only simple scalar parameters or recognized API Data Objects. All others are silently discarded before conversion, effectively blocking the novel injection vectors.

Exploitation requires authenticated access to a target store’s Web API endpoints—often achievable via compromised API tokens or stolen administrator credentials.

Once authenticated, an attacker can craft requests to manipulate menu configurations, inject malicious payloads, or elevate privileges.

Adobe has released a security bulletin addressing this vulnerability, which can be found below in the link:
https://helpx.adobe.com/security/products/magento/apsb25-88.html

The Adobe patch was accidentally leaked last week, so bad actors may already be working on the exploit code. See at GitHub:
https://github.com/magento/magento-cloud-patches/compare/7f46bdfe78…38d355d5ce

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Week 37 – From Carts to Carnage: SessionReaper Targets Magento

8-15 Sept 2025

Patch Tuesday’s security bulletin at Adobe has been published and it includes a serious entry with the ID CVE-2025-54236, our CVE of the Week this week. The vulnerability dubbed SessionReaper affects Adobe Commerce and Magento, Adobe’s e-commerce solutions.

CyAN Members Event – AI act & Fides demo

GITEX GLOBAL 25 – Dubai

AI On US 2025

CyAN APAC Event NOV 2025

WAM World Advanced Manufacturing & Logistics – Saudi