Updated September 9, 2025: Adobe has released Security Bulletin APSB25-88, which provides the official hotfix for CVE-2025-54236 (SessionReaper). Merchants are strongly advised to apply this patch immediately.
###
A new vulnerability uncovered by Sansec Security Labs, called SessionReaper, poses a direct threat to Magento Open Source and Adobe Commerce stores. This exploit enables attackers to hijack active customer sessions, including checkout sessions, potentially giving them access to sensitive personal data, payment flows, and even administrative controls.
Unlike a typical injection or brute-force attack, SessionReaper takes advantage of session fixation flaws in the Magento session handling mechanism. By manipulating session identifiers, attackers may effectively impersonate customers or administrators without ever needing a password.
Summary of Risks
→ Session Hijacking – Active sessions, including logged-in users, may be taken over
→ Account Compromise – Stolen sessions could allow attackers to perform actions as the victim
→ Data Theft – Personally identifiable information (PII) and payment data may be exposed
→ Business Disruption – Unauthorized actions may undermine site trust and stability
Why It Matters for Merchants
For ecommerce businesses, session integrity is at the core of both customer trust and transactional security. Attacks like SessionReaper threaten technical stability and erode confidence in the shopping experience.
Because JetRails provides secure infrastructure and active monitoring for Magento environments, our clients have additional safeguards in place while developers apply emergency fixes. Our role is to:
- Help harden hosting environments against session abuse
- Provide continuity during urgent patching cycles
- Support development teams with configuration and infrastructure best practices
Next Steps
Adobe has confirmed it will break its regular patch schedule to release an emergency fix for CVE-2025-54236 within 24 hours. Automated abuse is expected, so merchants should act immediately.
We strongly advise merchants to:
- Get the patch at: https://helpx.adobe.com/security/products/magento/apsb25-88.html
- Consult with your development team to prepare for immediate patching as soon as Adobe releases the update
- Confirm that your hosting and infrastructure partners are monitoring for suspicious activity
If you are a JetRails client and want to confirm that your environment is secure or need support during remediation, please contact our team.
🔗 SessionReaper Advisory – Sansec Security Labs
đź”— JetRails Security & Hosting
