Vulnerability
Advisory/Mitigation
Exploitation Wave
Security Patch Release
Adobe Commerce SessionReaper exploitation and emergency remediation
Updated 24.10.2025 00:25
Case score 66
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 66
- Main story score
- 63
- Related evidence lift
- +3 / 20
- Contributing updates
- 1
- Context updates
- 2
Top contributors
- Vulnerability Core flaw in Adobe Commerce with session takeover impact through the Commerce REST API. main
- Security Patch Release Emergency update for the same CVE and product line; remediation context. context
- Advisory Mitigation Urgent guidance to deploy the patch and use temporary WAF protection. context
- Exploitation Wave Confirms live exploitation, blocked attempts, and attack patterns tied to SessionReaper. contributes
Case score 66
Members 4
Latest activity 24.10.2025 00:25
Active exploitation
Patch status varies by member
CVSS: 9.8 Critical
Members 4
First seen 09.09.2025 18:53
Last seen 24.10.2025 00:25
Updated 24.10.2025 00:25
Overview
**CVE-2025-54236** in **Adobe Commerce** has moved into active abuse, with SessionReaper attempts targeting the **Commerce REST API** and Sansec already blocking more than **250** attempts against multiple stores. The flaw can let an attacker take control of customer account sessions without user interaction, which makes exposed commerce deployments an immediate concern.
Adobe has already issued an emergency update for **Adobe Commerce** and **Magento Open Source**, and **Adobe Commerce on Cloud** customers had a temporary **WAF rule** while administrators tested and deployed the fix. Available evidence confirms live attack attempts, but the full extent of successful compromise remains unknown.
Attackers are exploiting **CVE-2025-54236** in **Adobe Commerce** through the **Commerce REST API**, and Sansec has already blocked more than **250** attempts against multiple stores. The flaw, known as **SessionReaper**, is an improper input validation issue that can let an attacker take control of customer account sessions without user interaction. Adobe Commerce versions **2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 (and earlier)** are in scope, which keeps exposed and unpatched deployments at risk.
Adobe issued an emergency update for **Adobe Commerce** and **Magento Open Source** on **Sept. 9** to remediate the vulnerability, and the fix is the authoritative repair path for affected systems. Adobe Commerce on Cloud customers also had a temporary **WAF rule** while administrators tested and deployed the patch. Many stores remained unpatched when the exploitation was reported, so exposed deployments still face immediate risk. Available evidence shows live abuse attempts and blocking activity, but it does not quantify how many stores were successfully compromised.
Signals
6 derivedImpact signals
Exploitation
Exploitation
Active exploitation
CVSS
9.8 Critical
CVEs/products
CVE
Remediation
Urgency
Immediate
Remediation
Threat context
Actor
Sansec
Member happenings
4 related
Vulnerability
Adobe Commerce SessionReaper improper input validation flaw (CVE-2025-54236)
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Vulnerability
Adobe Commerce SessionReaper improper input validation flaw (CVE-2025-54236)
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Exploitation Wave
Adobe Commerce SessionReaper exploitation wave (CVE-2025-54236)
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Exploitation Wave
Adobe Commerce SessionReaper exploitation wave (CVE-2025-54236)
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Advisory/Mitigation
Adobe mitigation guidance for Adobe Commerce and Magento Open Source urgent remediation for CVE-2025-54236
Urgency
Immediate
Patch
Patch Available
Advisory/Mitigation
Adobe mitigation guidance for Adobe Commerce and Magento Open Source urgent remediation for CVE-2025-54236
Urgency
Immediate
Patch
Patch Available
Security Patch Release
Adobe security patch release for CVE-2025-54236
Exploitation
Active Exploitation
CVSS
9.8 Critical
Urgency
Immediate
Patch
Patch Available
Security Patch Release
Adobe security patch release for CVE-2025-54236
Exploitation
Active Exploitation
CVSS
9.8 Critical
Urgency
Immediate
Patch
Patch Available