Vulnerability
Advisory/Mitigation
Exploitation Wave
Security Patch Release
Adobe Commerce SessionReaper exploitation and emergency remediation
Updated 24.10.2025 00:25
Case score 66
Score breakdown
- Total
- 66
- Lead score
- 63
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 2
Top contributors
- Vulnerability Core flaw in Adobe Commerce with session takeover impact through the Commerce REST API. base
- Security Patch Release Emergency update for the same CVE and product line; remediation context. context
- Advisory Mitigation Urgent guidance to deploy the patch and use temporary WAF protection. context
- Exploitation Wave Confirms live exploitation, blocked attempts, and attack patterns tied to SessionReaper. support
Case score 66
Members 4
Latest activity 24.10.2025 00:25
Active exploitation
Patch/mitigation varies by member
CVSS: 9.8 Critical
Active exploitation
Patch/mitigation varies by member
CVSS: 9.8 Critical
Members 4
First seen 09.09.2025 18:53
Last seen 24.10.2025 00:25
Updated 24.10.2025 00:25
Overview
**CVE-2025-54236** in **Adobe Commerce** has moved into active abuse, with SessionReaper attempts targeting the **Commerce REST API** and Sansec already blocking more than **250** attempts against multiple stores. The flaw can let an attacker take control of customer account sessions without user interaction, which makes exposed commerce deployments an immediate concern.
Adobe has already issued an emergency update for **Adobe Commerce** and **Magento Open Source**, and **Adobe Commerce on Cloud** customers had a temporary **WAF rule** while administrators tested and deployed the fix. Available evidence confirms live attack attempts, but the full extent of successful compromise remains unknown.
Attackers are exploiting **CVE-2025-54236** in **Adobe Commerce** through the **Commerce REST API**, and Sansec has already blocked more than **250** attempts against multiple stores. The flaw, known as **SessionReaper**, is an improper input validation issue that can let an attacker take control of customer account sessions without user interaction. Adobe Commerce versions **2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 (and earlier)** are in scope, which keeps exposed and unpatched deployments at risk.
Adobe issued an emergency update for **Adobe Commerce** and **Magento Open Source** on **Sept. 9** to remediate the vulnerability, and the fix is the authoritative repair path for affected systems. Adobe Commerce on Cloud customers also had a temporary **WAF rule** while administrators tested and deployed the patch. Many stores remained unpatched when the exploitation was reported, so exposed deployments still face immediate risk. Available evidence shows live abuse attempts and blocking activity, but it does not quantify how many stores were successfully compromised.