{"id":2763,"date":"2025-09-11T07:53:23","date_gmt":"2025-09-11T07:53:23","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/11\/adobe-releases-emergency-patch-for-critical-flaw-in-commerce-and-magento\/"},"modified":"2025-09-11T07:53:23","modified_gmt":"2025-09-11T07:53:23","slug":"adobe-releases-emergency-patch-for-critical-flaw-in-commerce-and-magento","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/09\/11\/adobe-releases-emergency-patch-for-critical-flaw-in-commerce-and-magento\/","title":{"rendered":"Adobe Releases Emergency Patch for Critical Flaw in Commerce and Magento"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Threat researchers from the Sansec Forensics Team have warned about a critical vulnerability in Adobe Commerce and Magento, an open-source e-commerce platform owned by Adobe.<\/p>\n<p>In a report published on September 8, Sansec warned that the flaw, dubbed SessionReaper, could allow customer account takeover and unauthenticated remote code execution (RCE) under certain conditions.<\/p>\n<p>It was detected in August on the bug bounty platform HackerOne by a security researcher known as \u2018Blaklis.\u2019<\/p>\n<p>\u201cEach time, thousands of stores got hacked, sometimes within hours of the flaw being published,\u201d the Sansec researchers wrote.<\/p>\n<p>The Sansec report claimed that Adobe discussed an emergency fix internally in August, then announced it to selected Commerce customers in early September.<\/p>\n<p>However, the Sansec report noted that the Adobe patch was accidentally leaked in early September, \u201cso bad actors may already be working on the exploit code.\u201d<\/p>\n<h2><strong>Adobe Releases Emergency Patch<\/strong><\/h2>\n<p>Adobe released an emergency patch on September 9 in its APSB25-88 security advisory, assigning the flaw a CVE identifier (CVE-2025-542360) and a CVSS rating of 9.1<\/p>\n<p>The CVE entry noted that CVE-2025-542360 (aka SessionReaper) is a critical improper input validation flaw affecting Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and all prior releases.<\/p>\n<p>The Adobe advisory also noted that if exploited, this vulnerability could allow an attacker to hijack active user sessions, resulting in severe compromises to both confidentiality and data integrity.<\/p>\n<p>However, the Sansec researchers highlighted that neither the CVE entry nor the Adobe advisory mentions the risk of remote code execution, which has been confirmed by Blaklis on Slack.<\/p>\n<p>According to the Sansec report, SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024).<\/p>\n<p>Neither Adobe nor Sansec has detected any evidence of active exploitation of the SessionReaper vulnerability in the wild at the time of writing.<\/p>\n<h2><strong>How to Patch and Mitigate SessionReaper <\/strong><\/h2>\n<p>The Sansec researchers have confirmed that users already protected by Sansec Shield are safeguarded against this Adobe Commerce vulnerability.<\/p>\n<p>For those without this protection, they strongly advised testing and deploying the official patch immediately. However, they cautioned that it may disrupt custom or third-party integrations due to changes in internal Magento functionality. Adobe has provided a developer guide to assist with implementation.<\/p>\n<p>If patching cannot be completed within 24 hours of disclosure, Sansec recommended enabling a Web Application Firewall (WAF) as an emergency measure.<\/p>\n<p>For users who applied the patch after the 24-hour window, Sansec researchers urged running a malware scan to check for potential compromise.<\/p>\n<p>Additionally, they recommended rotating the secret cryptographic key, as exposure could allow attackers to persistently manipulate CMS blocks. Immediate action is critical to mitigate risks associated with this high-severity flaw.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Threat researchers from the Sansec Forensics Team have warned about a critical vulnerability in Adobe Commerce and Magento, an open-source e-commerce platform owned by Adobe. In a report published on September 8, Sansec warned that the flaw, dubbed SessionReaper, could allow customer account takeover and unauthenticated remote code execution (RCE) under certain conditions. It was<\/p>\n","protected":false},"author":2,"featured_media":2764,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2763","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2763-ba1fb29b-9d4e-40a7-8a96-c1b94d21cb5b-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2763"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2763\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2764"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}