The SessionReaper is the most critical bug in the history of Magento Commerce
On the 9th of September Adobe released an emergency patch. This emergency patch is for CVE-2025-54236. CVE-2025-54236 is of high risk, and therefore it is stressed to implement the security patches a.s.a.p. after its release. The biggest reason for the high risk is that potential attackers could easily take over customer accounts in Adobe Commerce through the Commerce REST API.
Why is CVE-2025-54236 / SessionReaper a critical vulnerability?
- Hackers can exploit this vulnerability remotely over a network
- Hackers can easily perform an attack which does not need special requirements
- Hackers don’t need special rights to exploit this vulnerability
- No user interaction is needed for exploitation
- Private information could be easily leaked
- Private information could easily be changed or falsified
CVE-2025-54236 has a CVSS-score of 9.1 out of 10
Adobe named CVE-2025-54236 the SessionReaper. The SessionReaper is the biggest vulnerability in Adobe Commerce history. There is a warming that thousands of stores are vulnerable to be hacked in just a couple of hours. Due to this reason, the security patch is released earlier than the scheduled release on the 14th of October.
The CVE-2025-54236 has a CVSS-score of 9.1 out of 10. CVSS is a Common Vulnerability Scoring System t0 rate security vulnerabilities. It is an international understanding to measure whether a vulnerability is critical. The scores can be understood as following:
- 0.1 – 3.9 = low
- 4.0 – 6.9 = medium
- 7.0 – 8.9 = high
- 9.0 – 10 = critical
CVE-2025-54236 got a score of 9.1. This means that SessionReaper is a critical security vulnerability. It requires a serious approach and developers need to take direct action to prevent damage.
"SessionReaper can hack thousand of stores is just a couple of hours"
In August the team of Adobe had an emergency meeting for this bug and on the 4th of September they notified Commerce customers. Open Source Magento users were not notified.
Update: Adobe Commerce released the patch and researched the vulnerability. They concluded that this vulnerability gets a priority of 2. This means that so far there is no exploitation seen. However, the CVSS-score portrays this vulnerability requires serious action.
The fix for CVE-2025-54236 can be accessed through the following link: https://repo.magento.com/patch/VULN-32437-2-4-X-patch.zip. Copy and pasta the link to download the ZIP.
If you need any help with applying the patch, contact us.
Why our customers were not affected
We were alerted to this vulnerability by Sansec one day before the official patch release. As soon as we realized the potential impact it could have on our customers’ webshops, we immediately took action with three protective measures:
- Disabled the REST API for customers who don’t use it, removing unnecessary exposure.
- Set up IP whitelisting for those who do use the REST API, allowing access only from trusted sources.
- Enhanced our logging to spot suspicious activity faster and intervene if needed.
On top of that, we reshuffled our schedule to make sure patching our customers’ webshops became our top priority.
By 16:00, the moment the patch was live, our developers were already rolling it out. Within just a few hours, nearly all customer sites were secured. This meant working late into the evening — but keeping our customers’ webshops safe comes first. A huge shout‑out to our dedicated team for going the extra mile!