Adobe mitigation guidance for Adobe Commerce and Magento Open Source urgent remediation for CVE-2025-54236
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Adobe urged Adobe Commerce and Magento Open Source administrators to test and deploy the available patch immediately for CVE-2025-54236, reducing the risk of unauthenticated abuse of the Commerce REST API. The advisory centers on the SessionReaper flaw, which researchers describe as one of the platform's most severe issues. Adobe Commerce on Cloud customers had a temporary WAF rule in place while remediation moved forward.
Cases
Related Happenings
MOVEit Automation authentication bypass (CVE-2026-4670)
Vulnerability
First: 04.05.2026 15:18
Last: 04.05.2026 15:18
Sources 1
About this happening:
A critical **authentication bypass** in **MOVEit Automation** affects versions before **2025.1.5**, **2025.0.9**, and **2024.1.8**, creating remote access risk for exposed file-tr...
MOVEit Automation authentication bypass (CVE-2026-4670)
VulnerabilityAbout this happening: A critical **authentication bypass** in **MOVEit Automation** affects versions before **2025.1.5**, **2025.0.9**, and **2024.1.8**, creating remote access risk for exposed file-tr...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/Mitigation
First: 21.04.2026 14:17
Last: 21.04.2026 14:17
Sources 1
About this happening:
**CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/MitigationAbout this happening: **CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
Microsoft April 2026 Patch Tuesday security updates (167 flaws)
Security Patch Release
First: 14.04.2026 20:41
Last: 14.04.2026 20:41
Sources 1
About this happening:
Microsoft's **April 2026 Patch Tuesday** ships **security updates** for **167 flaws**, including **2 zero-days**, reducing exposure across widely used Microsoft software. The rele...
Microsoft April 2026 Patch Tuesday security updates (167 flaws)
Security Patch ReleaseAbout this happening: Microsoft's **April 2026 Patch Tuesday** ships **security updates** for **167 flaws**, including **2 zero-days**, reducing exposure across widely used Microsoft software. The rele...
Adobe security patch release for CVE-2026-34621
Security Patch Release
First: 12.04.2026 07:25
Last: 12.04.2026 07:25
Sources 1
About this happening:
**Adobe** issued **emergency updates** for **Acrobat Reader**, **Acrobat DC**, and **Acrobat 2024** after **CVE-2026-34621** was found **actively exploited in the wild**. The patc...
Adobe security patch release for CVE-2026-34621
Security Patch ReleaseAbout this happening: **Adobe** issued **emergency updates** for **Acrobat Reader**, **Acrobat DC**, and **Acrobat 2024** after **CVE-2026-34621** was found **actively exploited in the wild**. The patc...
Adobe Reader zero-day exploited via malicious PDFs security flaw
Vulnerability
First: 09.04.2026 12:22
Last: 09.04.2026 12:22
Sources 1
About this happening:
**Adobe Reader** is facing an **actively exploited zero-day** delivered through **malicious PDF documents** and observed since at least **December**. The flaw works on the **lates...
Adobe Reader zero-day exploited via malicious PDFs security flaw
VulnerabilityAbout this happening: **Adobe Reader** is facing an **actively exploited zero-day** delivered through **malicious PDF documents** and observed since at least **December**. The flaw works on the **lates...
Latest development: 13.04.2026 18:37
Adobe released an emergency security update for Acrobat Reader to fix CVE-2026-34621 after zero-day exploitation in malicious PDF files. The bulletin says Acrobat DC versions 26.001.21367 and earlier, Acrobat Reader DC versions 26.001.21367 and earlier, and Acrobat 2024 versions 24.001.30356 and earlier are affected, and Adobe recommends updating through Help > Check for Updates or the official installer.
Timeline
-
09.09.2025 18:53 1 articles · 8mo ago
Adobe notifies selected Commerce customers of an emergency fix for CVE-2025-54236
Initial DisclosureAdobe notified selected Commerce customers that an emergency fix was planned for Adobe Commerce and Magento Open Source, warning that the update would address a critical vulnerability later identified as CVE-2025-54236 and SessionReaper.
Show sources
- Adobe patches critical SessionReaper flaw in Magento eCommerce platform — www.bleepingcomputer.com — 09.09.2025 18:53
-
09.09.2025 18:53 2 articles · 8mo ago
Adobe releases a patch for unauthenticated SessionReaper exploitation in Commerce and Magento Open Source
Mitigation Patch UpdateAdobe released a patch for CVE-2025-54236 after researchers said the flaw could be exploited without authentication through the Commerce REST API to take control of customer accounts. Adobe Commerce on Cloud customers also had a temporary WAF rule in place as an interim measure, and administrators were urged to test and deploy the patch immediately.
Show sources
- Adobe patches critical SessionReaper flaw in Magento eCommerce platform — www.bleepingcomputer.com — 09.09.2025 18:53
- Adobe patches critical SessionReaper flaw in Magento eCommerce platform — www.bleepingcomputer.com — 09.09.2025 18:53