Back to Blog Homepage
Deploy Blog
Nathan ChickLatest Security patch for Magento: CVE-2025-54236
Adobe has released an emergency patch for a critical Magento vulnerability (CVE-2025-54236) that could lead to account takeover and remote code execution. If you are running Magento 2.4.4-2.4.7, patch immediately.
Adobe has released an emergency out-of-band patch to address a critical flaw in Magento / Adobe Commerce, tracked as CVE-2025-54236, also known as SessionReaper. Adobe Security Bulletin
Risk Overview
- The vulnerability is tied to improper input validation in the Web API (
ServiceInputProcessor), allowing attackers to bypass security controls without interaction. - Can lead to customer account takeover and potentially unauthenticated remote code execution (RCE), especially with file-based session storage.
- Confirmed by Sansec, who simulated the attack and publicised the SessionReaper research.
- Patch leak increases the risk of active exploitation.
Affected Versions
- Adobe Commerce & Magento Open Source 2.4.4 through 2.4.9-alpha2.
- WAF rules are applied to cloud deployments, but patching is mandatory.
Recommended Actions
- Patch immediately. Test custom and third-party modules carefully.
- Enable WAF rules if immediate patching is not possible (Sansec Shield and Adobe Fastly confirmed to block this attack vector).
- Scan for indicators of compromise after patching.
- Rotate critical keys and verify integrity of core files.
Shoutout to Sansec & our own Scott
We're proud to partner with Sansec, whose team first simulated and publicised this vulnerability.
Special recognition goes to Scott, our technical lead, for his additional research contributions on this issue.
We tested the patch prior to the public release, allowing all of our customers to be patched and live on the day of the release.