On September 9, 2025, Adobe released an out-of-band security update to address a critical vulnerability in Adobe Commerce and Magento Open Source. The vulnerability, tracked as CVE-2025-54236 and referred to in open-source reporting as “SessionReaper,” allows a remote unauthenticated threat actor to take over customer accounts through the Commerce REST API. The security researcher who discovered the vulnerability has stated that this flaw could also potentially lead to Remote Code Execution (RCE) under certain conditions.
Arctic Wolf has not observed exploitation of CVE‑2025‑54236 or any public proof-of-concept exploit. Sansec has reproduced an exploit avenue, and multiple attack vectors may exist. Based on historical targeting of these platforms (as noted in CISA’s Known Exploited Vulnerabilities catalog) and the potential for RCE, this vulnerability could be targeted by threat actors in the near future.
Recommendation for CVE‑2025‑54236
Apply Hotfix
Arctic Wolf strongly recommends that customers upgrade to the latest hotfix for CVE-2025-54236.
| Product | Affected Version | Fixed Version |
| Adobe Commerce |
|
Hotfix for CVE-2025-54236 (Compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 – 2.4.7) |
| Adobe Commerce B2B |
|
|
| Magento Open Source |
|
Note: For organizations using Adobe Commerce on Cloud infrastructure, Adobe has stated they have deployed web application firewall (WAF) rules to protect environments against exploitation of CVE-2025-54236.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
