What Happened
As an Adobe Commerce Partner, we want to be clear about the latest exploit, CVE-2025-54236, known as SessionReaper. A flaw in the platform’s web API validation allows attackers to send malicious data directly into Adobe Commerce or Magento Open Source stores. Once inside, they can impersonate real users, hijack sessions, and perform unauthorized actions, all without needing a password or login.
Why Adobe Commerce Vulnerability (CVE-2025-54236) is Serious
- The exploit is live and active. Hundreds of stores were breached in the past 24 hours.
- Attackers can steal customer data, intercept payments, or deploy card-skimming scripts.
- Any store that hasn’t been patched in the last two weeks is at risk, THIS IS NOT THEORETICAL.
Immediate Action
- Apply the Adobe patch now. Adobe has released the fix “VULN-32437-2-4-x-patch” covering all affected versions.
- Audit your environment. Review for new admin users, unusual PHP files in /media or /pub, or unfamiliar API traffic.
- Commerce Cloud users: Adobe’s Web Application Firewall mitigates most of this, but patching is still mandatory.
- Open-Source Merchants: You must patch manually or through your development partner, delays invite compromise.
The Bigger Picture
This event is a reminder that security is not set-and-forget. Even the most trusted platforms face new threats. Adobe is actively strengthening its security posture, but merchants must keep pace.
At ioVista, we help businesses stay ahead, from rapid patching and hardening to long-term AI-driven monitoring strategies. Whether you’re committed to Adobe Commerce or evaluating other enterprise platforms, our job is to keep your commerce stack secure, stable, and ready for what’s next.
If you’d like ioVista to run a same-day Adobe Commerce security audit, contact us today!