• By Kiwi Commerce
  • 04 Dec, 2025
  • Magento

Magento SessionReaper Exploit (CVE-2025-54236) – How to Patch Your Store URGENTLY?

This is a serious security notification for merchants using Magento or Adobe Commerce. The critical Magento SessionReaper exploit (CVE-2025-54236) has escalated from theoretical risk to active exploitation by automated attackers. Immediate action is required to protect your store and customer data.

What is SessionReaper?

SessionReaper is a dangerous security flaw affecting Adobe Commerce and Magento Open Source. Tracked as CVE-2025-54236, this vulnerability allows attackers to exploit session handling weaknesses.

Think of a customer’s shopping session as a temporary ID badge. This badge confirms their identity as they browse your store. SessionReaper allows an attacker to generate a fake, fully functional ID badge without a password.

Once accepted, this fake session can:

  • Hijack customer accounts
  • Steal private information

Execute Remote Code Execution (RCE), potentially allowing full control over your server to install malware

How Does It Work?

The vulnerability primarily targets Magento’s REST API. Attackers can bypass authentication, hijack sessions, and in some cases, execute arbitrary code on the server.

This is comparable to previous critical flaws such as Shoplift and CosmicSting, which caused rapid, widespread compromises across unpatched stores.

Current Risk Status

this, 62% of Magento stores remain exposed, leaving them vulnerable to automated attacks using publicly available exploit code.


Patching Status:

  • Patched Stores: 38%
  • Vulnerable Stores: 62%
  • Exploitation: Active and ongoing

How to Secure Your Store URGENTLY

To protect your store, implement the following steps immediately:

1. Apply the Hotfix

  • Download: VULN-32437-2-4-X-patch
  • Upload to your Magento installation root directory
  • Run:

patch -p1 < %patch_name%.composer.patch

(If -p1 fails, try -p2)

  • Refresh cache in Admin under System > Cache Management

This is a temporary but critical measure to block immediate exploitation.

  1. Upgrade to the Latest Magento Version

For a permanent fix, test and deploy the official security patch or upgrade Magento to the latest version:

  • Recommended: Move to Magento 2.4.8
  • Benefits: Latest security features, bug fixes, and compliance updates

Our Adobe-certified experts can help ensure a smooth, secure upgrade.

  1. Enable WAF Protection (Temporary Shield)

If immediate patching or upgrade isn’t possible:

  • Block Attacker IPs: Configure your firewall to deny traffic from known malicious IP addresses
  • Block Vulnerable Paths: Prevent access to critical endpoints until the patch is fully applied

This is a temporary measure, but it helps reduce risk while you implement permanent fixes.

Is Your Magento Store Truly Secure?

Even after patching, compromised stores may still contain hidden backdoors left by attackers. A simple update might not be enough to ensure full security.

Our Magento security team can:

  • Conduct a comprehensive scan of all files, databases, and logs
  • Detect and remove malicious code and backdoors
  • Verify your store is fully protected from SessionReaper and other zero-day threats

Contact us today for a full security audit and ensure your store is safe.

Don’t Delay Protect Your Customers and Your Business

With active exploitation underway, unpatched stores are at extreme risk. Implement the hotfix, upgrade Magento, and consider temporary WAF protection immediately.

Security isn’t optional  it’s critical to maintain customer trust and protect your business from catastrophic breaches.

Kiwicommerce will help you apply the required patch to secure your store promptly and effectively.

Leave a Reply

Your email address will not be published. Required fields are marked *