Critical Adobe Commerce Session Hijack Flaw Added to KEV After Active Exploitation
Adobe released an out-of-band fix for CVE-2025-54236, a critical improper input validation flaw in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source that allows unauthenticated attackers to take over user sessions through vulnerable session-handling and Web API components. The bug, dubbed "SessionReaper" by Sansec, carries a reported CVSS 9.1 rating and can lead to account hijacking, exposure of customer data, fraudulent orders, administrative access, and in some scenarios potentially remote code execution. Affected releases span multiple 2.4.x branches, including versions from 2.4.4 through 2.4.7 and other listed builds and earlier releases.
Security guidance escalated after reports said the flaw was being actively exploited in the wild and added to CISA's Known Exploited Vulnerabilities catalog. Adobe published remediation details in APSB25-88 and shipped patched versions, while defenders were urged to apply the vendor fix immediately, verify patch status, review logs for anomalous session activity, tighten administrative access, and increase WAF, API, and SIEM monitoring. Advisories also warned that leaked hotfix details and unofficial fixes could accelerate attacker weaponization or create additional risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2025-54236 added to CISA KEV amid active exploitation
By March 2026, the vulnerability was reported as actively exploited in the wild and had been added to CISA’s Known Exploited Vulnerabilities catalog. This marked an escalation from earlier reporting that had not yet observed exploitation.
Adobe issues out-of-band patch for CVE-2025-54236
Adobe released Security Advisory APSB25-88 and patched affected Adobe Commerce, Adobe Commerce B2B, and Magento Open Source versions for the critical auth bypass/session takeover flaw CVE-2025-54236. Early reporting described the issue as severe and urged customers to apply the emergency hotfix immediately.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2025-54236: Adobe Commerce Auth Bypass Vulnerability
sentinelone.com
Open sourceAdobe warns of critical vulnerability in Commerce and Magento platforms | The Cyber Security Hub™ posted on the topic | LinkedIn
linkedin.com
Open sourceProtect Your Magento 2 Store from the APSB25-88 Session Reaper Vulnerability | Swiss Up Labs Magento blog
swissuplabs.com
Open sourceThe Story Behind Magento’s SessionReaper Vulnerability (CVE-2025-54236) | by Nidhin Chandran R | Medium
medium.com
Open source[APSB25-88] Security Patch Announcement for Adobe Commerce and Magento - Aimsinfosoft
aimsinfosoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of SessionReaper Vulnerability in Adobe Magento
Hackers have begun actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (Magento) platforms, with security firm Sansec detecting and blocking hundreds of real-world attack attempts. The flaw, which allows attackers to take control of account sessions via the Commerce REST API, remains unpatched in approximately 62% of Magento stores, leaving thousands of e-commerce sites exposed to remote code execution and account takeover attacks. Technical analyses and proof-of-concept exploit code have been published, further increasing the risk of mass exploitation. Adobe issued an emergency patch for SessionReaper six weeks prior to the observed attacks, but patch adoption has been slow. Attackers are leveraging PHP webshells and probes to exploit the vulnerability, with most attacks originating from a handful of IP addresses. Security experts warn that the public availability of exploit details and the high impact of the flaw make rapid patching and the activation of web application firewalls critical for all affected organizations.
Mar 21, 2026
CISA Adds Actively Exploited Adobe Commerce and Microsoft WSUS Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-54236, an improper input validation flaw in Adobe Commerce and Magento, and CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Service (WSUS). These vulnerabilities have been confirmed as being exploited in the wild, prompting CISA to require Federal Civilian Executive Branch (FCEB) agencies to remediate them under Binding Operational Directive (BOD) 22-01. CISA also strongly urges all organizations to prioritize patching these vulnerabilities to reduce exposure to cyberattacks. Security researchers have observed widespread exploitation of the Adobe Commerce vulnerability, dubbed "SessionReaper," with over 250 attacks detected in a 24-hour period targeting e-commerce sites via the REST API. Attackers have used this flaw to hijack customer accounts and deploy PHP webshells, while only 38% of affected stores have reportedly applied the available emergency patch. The Microsoft WSUS vulnerability allows unauthorized remote code execution via network exploitation, further increasing the risk to unpatched systems. Both vulnerabilities are considered critical, with public exploit details available, underscoring the urgency for immediate remediation.
Mar 21, 2026
Critical Magento SessionReaper Vulnerability (CVE-2025-54236) Enables Session Hijacking and Remote Code Execution
A critical vulnerability in the Magento ecommerce platform, identified as CVE-2025-54236 and dubbed 'SessionReaper,' has been actively exploited in the wild. The flaw allows attackers to hijack user sessions and achieve unauthenticated remote code execution (RCE) on affected Magento installations. Security researchers observed a surge in exploitation attempts following the public release of a proof-of-concept (PoC) exploit, with attackers deploying web shells and conducting reconnaissance using classic PHP probes. Adobe released an emergency patch for the vulnerability, and organizations are urged to apply it immediately to mitigate risk. Magento's widespread use and history of critical vulnerabilities make this flaw particularly attractive to threat actors. Exploitation attempts have targeted over 130 hosts from multiple IP addresses within 48 hours of the PoC's publication. Web application firewalls, such as Akamai's Adaptive Security Engine, have been effective in mitigating some exploit attempts by default. The vulnerability's critical nature and active exploitation highlight the urgent need for patching and enhanced monitoring of Magento deployments.
Mar 21, 2026