Adobe on Tuesday released a patch for a critical vulnerability in its Magento Commerce and Magento Open Source platforms, known to researchers as SessionReaper and identified as CVE-2025-54236. The flaw could be exploited without authentication to take control of customer accounts via the Commerce REST API, Adobe said in a security bulletin. Cloud customers are protected by an Adobe-deployed web application firewall (WAF).
Sansec, an e-commerce security firm, said Adobe notified selected Commerce customers on Sept 4 about an upcoming emergency fix planned for Sept 9. Sansec advisory notes the patch is scheduled for Sept 9 and that no exploitation in the wild has been observed. Adobe security bulletin also reiterates the absence of confirmed in-the-wild activity.
The release notes warn that the hotfix is intended to close the vulnerability but may disable internal Magento functionality, potentially affecting some custom or external code. Administrators are urged to test and apply the patch immediately; a direct download is available at repo.magento.com patch.
Sansec also cautioned that a preliminary hotfix for CVE-2025-54236 leaked last week, possibly enabling threat actors to prepare exploits in advance, the firm said.
Researchers say exploitation would likely rely on storing session data on the file system, a default configuration in many stores. Sansec describes SessionReaper as among the most severe Magento vulnerabilities in history, alongside CosmicSting, TrojanOrder, Ambionics SQLi, and Shoplift.