The critical vulnerability SessionReaper (CVE-2025-54236) affects Magento and Adobe Commerce platforms, potentially granting unauthenticated attackers complete store control. Over 50% of global stores have already faced automated exploitation attempts. Immediate action is essential for merchants.
- October 22nd: mass SessionReaper attacks have started
In August 2025, a severe vulnerability (CVSS 9.1) was identified in every version of Adobe Commerce and Magento. Named SessionReaper and tracked as CVE-2025-54236, the flaw enables attackers to hijack customer accounts and, in specific scenarios, execute remote code without authentication.
Adobe disrupted its standard release cycle to issue an urgent patch in early September. Yet, the company minimized the threat in its advisory, omitting that attackers could achieve complete server compromise. The researcher who reported CVE-2025-54236 verified this risk in a Slack discussion.
Timeline of SessionReaper (CVE-2025-54236) Vulnerability
- August 22: Adobe inadvertently discloses the emergency patch for SessionReaper.
- September 4: Adobe notifies a select group of Commerce customers about the emergency patch in private.
- September 9: Adobe issues the emergency update for SessionReaper (CVE-2025-54236) via APSB25-88, classifying it as Priority 2 (recommended patching within 30 days).
- September 19: Only about one-third of Magento stores have applied the patch, ten days post-release. Adobe Commerce Cloud fares slightly better, with roughly half updated.
- October 14: Adobe incorporates the emergency fix into its routine security update, APSB25-94.
- October 22: Initial exploitation attempts emerge following a vulnerability breakdown shared by AssetNote.
- October 23: Patching rate stands at just 38% across stores.
- October 24: Widespread attacks target approximately 31% of Magento stores; Adobe acknowledges the exploits and escalates the issue to Priority 1 (mandatory patching within 72 hours).
- October 26: Attacks affect nearly 49% of all stores, with estimates indicating 16-18% now compromised by at least one backdoor.
Technical Mr Star monitors global e-commerce threats in real time. Attackers upload PHP backdoors through the /customer/address_file/upload endpoint by disguising them as session data. This occurs even on patched systems, since Adobe addressed only the session deserialization flaw and left the unrestricted file upload vulnerability untouched.
If your system was patched promptly and no malicious session files are present, you are likely secure. Still, we strongly advise deleting any suspicious files and performing a full malware scan to confirm no backdoors were planted in your codebase.
If you cannot apply the patch safely within the next 24 hours, enable a Web Application Firewall (WAF) for immediate defense. Fastly WAF (used on Adobe Commerce Cloud) and Cloudflare mitigate certain vectors but fail to stop every attack.
Is Your Magento Store Truly Secure?
Even if you applied the patch, exposure before the fix could mean attackers already planted stealth backdoors.
We detect hidden webshells, clean malicious code, and confirm your store is fully protected against SessionReaper and other zero-days.
Contact us now for a professional security audit and peace of mind.