Adobe has issued an urgent security advisory, specifically for CVE-2025-54236, also known as SessionReaper, affecting Adobe Commerce and Magento Open-Source platforms. This flaw has been assigned a CVSS score of 9.1 out of 10, indicating a severe security risk that could lead to unauthorized access and full compromise of customer accounts via the Commerce REST API.
What is CVE-2025-54236?
CVE-2025-54236 is classified as an improper input validation vulnerability. According to Adobe’s official advisory, a malicious actor could exploit this bug by interacting with the Commerce REST API, potentially taking full control of customer accounts. Although no active exploitation has been detected in the wild, Adobe has emphasized the critical nature of the vulnerability and urged users to apply the necessary security patches immediately.
“A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API,” Adobe stated in its advisory (APSB25-88).
Affected Products and Versions
The vulnerability impacts several versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source, including but not limited to:
- Adobe Commerce: Versions 2.4.9-alpha2 and earlier
- Magento Open Source: Versions 2.4.9-alpha2 and earlier
- Adobe Commerce B2B: Versions 1.5.3-alpha2 and earlier
- Custom Attributes Serializable module: Versions 0.1.0 to 0.4.0
A detailed list of affected patch levels is included in Adobe’s security bulletin.
The Patch: VULN-32437-2-4-X
To address the vulnerability, Adobe has released a hotfix identified as VULN-32437-2-4-X-patch, which directly mitigates CVE-2025-54236. Users are strongly advised to implement this fix without delay. Failure to do so may leave systems exposed, and Adobe has noted that its ability to provide remediation support will be limited if the patch is not applied.
For those using the Custom Attributes Serializable module (versions 0.1.0 – 0.3.0), an update to version 0.4.0 or later is required. This can be done using the following Composer command:
composer require magento/out-of-process-custom-attributes=0.4.0 –with-dependencies
Protection for Cloud and Managed Services Users
For users hosted on Adobe Commerce Cloud infrastructure, Adobe has deployed Web Application Firewall (WAF) rules to block potential exploitation attempts. Additionally, those on Managed Services can seek guidance from their Customer Success Engineer for help in applying the fix.
However, it is important to note that the presence of WAF rules does not eliminate the need to apply the patch. These rules are meant as a temporary mitigation layer, not a permanent solution.
Verifying the Patch
Adobe recommends using the Quality Patches Tool to verify whether the patch has been successfully applied. For example, to check if a given patch, such as VULN-27015-2.4.7_COMPOSER.patch has been installed, users can run the following command:
vendor/bin/magento-patches -n status | grep “27015|Status”
This will return an “Applied” status if the patch is active, offering peace of mind for administrators who need to confirm the remediation.
The vulnerability was reported to Adobe by an independent security researcher named blaklis. While there is no evidence that SessionReaper (CVE-2025-54236) has been weaponized yet, its potential impact on e-commerce businesses is considerable.
Urgent Call to Action
Given the widespread use of Adobe Commerce and Magento Open Source platforms in the e-commerce ecosystem, the discovery of SessionReaper should not be taken lightly. Organizations using any of the affected versions must:
- Apply the VULN-32437-2-4-X-patch immediately.
- Update the Custom Attributes Serializable module to 0.4.0 or higher.
- Confirm patch application using Adobe’s recommended tools.
- Consult Adobe support or Customer Success Engineers for guidance if needed.
Adobe has made the latest security updates available through its official security bulletin, where users can find detailed patch instructions and support resources.
