Adobe Warns Of SessionReaper Bug In Commerce And Magento

Adobe has released an emergency patch for a serious bug called SessionReaper, which affects both Adobe Commerce and Magento Open Source.

The flaw, officially tracked as CVE-2025-54236, has a critical severity rating (9.1/10). If left unpatched, it could allow attackers to take over customer accounts and, in some cases, gain control of entire stores.

Adobe took the unusual step of breaking its normal release schedule to get the fix out quickly. Security researchers at Sansec warn that automated attacks are likely to appear soon, especially since the patch was accidentally leaked last week.

What merchants need to do

• Apply the patch immediately (VULN-32437-2-4-X-patch, part of advisory APSB25-88).
• If you use Adobe Commerce Cloud, temporary firewall protections are already active, but you should still patch.
• If you can’t patch right away, use a web application firewall (WAF) for short-term protection.
• After patching, check your store for unusual activity and consider rotating your cryptographic keys as an extra precaution.

Sansec notes that SessionReaper is among the most severe Magento bugs ever, on the same level as past incidents like Shoplift (2015) and TrojanOrder (2022), which led to thousands of hacked stores.

Adobe also fixed another serious flaw in ColdFusion (CVE-2025-54261) that could allow attackers to write files to servers.

Merchants are urged to patch now to stay protected and avoid potential store takeovers.