This is a serious security notification for merchants using Magento or Adobe Commerce. The critical SessionReaper vulnerability (CVE-2025-54236) has moved from a theory to active exploitation by automated attackers. Immediate action is required to protect your store and customer data.
What is SessionReaper?
SessionReaper is a dangerous weakness found in the software that runs Adobe Commerce and Magento Open Source. Security researchers have tracked it as CVE-2025-54236.
How Does it Work?
Think of a customer’s shopping session as a temporary ID badge. This badge proves who they are while they browse your shop. SessionReaper is a flaw that allows an attacker to create a fake, working ID badge without needing a password.
Once the fake badge is accepted, the attacker can hijack the customer’s account, steal private information, or, in the worst cases (known as Remote Code Execution or RCE), take full control of your store’s server to install malware.
The Backstory of CVE-2025-54236
Adobe released a security fix six weeks ago (read details on APSB25-88 Security Patches). However, security reports indicate that 62% of stores are still exposed.
Session Hijack: The Exploit
*The flaw allows unauthenticated input to bypass validation, resulting in session hijacking or remote code execution (RCE).
The Patching Race
Patch Released: 6 Weeks Ago
Patched Stores
62% of Stores Remain VULNERABLE
Figure: Visual summary of the SessionReaper attack (CVE-2025-54236) and the critical, ongoing patching status across the ecosystem.
With exploit code now public, automated attacks are targeting unpatched shops right now. This vulnerability is comparable to past major flaws like Shoplift and CosmicSting that led to thousands of compromises quickly.
Three Ways to Secure Your Store URGENTLY
You must implement these fixes immediately to secure your store:
1. Apply the HotFix
- Download the hotfix VULN-32437-2-4-X-patch.
- Upload the patch to your Magento installation root directory and run this command:
patch -p1 < %patch_name%.composer.patch- If the command does not work, try using -p2 instead of -p1 )
- Refresh the cache in the Admin under System > Cache Management.
2. Upgrade to Latest Version
This is the complete, permanent fix.
Test and deploy the official security patch or upgrade Magento to the latest version without delay.
Enjoy a hassle free upgrade to the latest Magento version with our Adobe-certified experts.
Upgrade Now
3. Activate WAF Protection (Temporary Fix)
If patching takes time, immediately enable or configure your Web Application Firewall (WAF) as a temporary shield.
You can enhance this defense by:
- Blocking Attacker IPs: Configure your firewall to deny traffic from known attacker IP addresses.
- Blocking Vulnerable Paths: Block access to critical, vulnerable endpoints until the full patch is deployed.
Is Your Magento Store Secure?
If your store was exposed before the patch, a simple security update might not be enough. Attackers could have already left hidden backdoors.
Our Magento (Adobe Commerce) security experts can help you run a complete, deep security scan to thoroughly check all files, database entries, and logs. We find hidden compromises, remove malicious code, and verify that your store is clean and safe from SessionReaper and other zero-day threats. Contact us today for a security audit.
