Magento Open Source vulnerability: SessionReaper

The SessionReaper vulnerability (CVE-2025-54236) is a critical flaw in Magento Open Source and Adobe Commerce that can hijack sessions of hacked accounts, leading to automated account takeover, data theft, and fraudulent orders. Adobe has released a critical patch with a score of 9.1 on the CVSS system, which must be installed immediately to mitigate the risks. 

Why is CVE-2025-54236 so critical?

• Attack can be executed remotely and over the network

• No special rights or conditions required

• No user action required

• Sensitive data can easily be viewed or manipulated

• CVSS score of 9.1/10 – which means: critical

• Thousands of online stores are at risk of being hacked within a few hours

Adobe has therefore made the patch available earlier than planned (the original release was scheduled for October 14).

What is CVSS and what does a score of 9.1 mean?

CVSS stands for Common Vulnerability Scoring System and indicates how serious a security vulnerability is.

The scores are categorized as follows:

• 0.1 – 3.9 = low

• 4.0 – 6.9 = medium

• 7.0 – 8.9 = high

• 9.0 – 10.0 = critical

CVE-2025-54236 scored a 9.1. A serious vulnerability, therefore, requires immediate action from developers.

What does this mean for Magento Open Source (and Adobe Commerce)?

At the beginning of September, Adobe Commerce customers were informed via a direct notification. Users of Magento Open Source did not receive a notification, although they are equally vulnerable. Adobe classifies this patch as priority 2: no active attacks have been observed yet, but due to the impact, swift action is needed.

🔗 Download patch: VULN-32437-2-4-X-patch.zip

Why our customers were safe before the patch was available

Thanks to notifications from, among others, Sansec and the community, we were warned a day before the official patch release. Based on this information, we immediately implemented three protective measures:

1. Disabled REST API for customers who do not use it

2. Set up IP whitelisting for customers who do use the REST API

3. Enhanced logging to detect suspicious activity more quickly

Additionally, we completely reorganized our schedule to enable immediate patching of all online stores. At 4:00 PM, when the patch became available, our developers had already started rolling it out. Within a few hours, the majority of our customers were secured.

Not patched yet? Hurry up, because it is truly necessary. Ask our experts how we can assist you.