Magento Patch: APSB25-88 (CVE-2025-54236) — SessionReaper Critical Fix for Magento 2 / Adobe Commerce
Urgent security notice: A newly disclosed Magento 2 / Adobe Commerce vulnerability, nicknamed SessionReaper and tracked as CVE-2025-54236, enables session hijacking and potential account takeover via the Commerce API. Adobe has issued bulletin APSB25-88 with an official hotfix. Patch immediately to protect customer accounts, admin access, and sensitive data.
What is SessionReaper (CVE-2025-54236)?
SessionReaper is a critical security flaw that allows attackers to seize valid user sessions and bypass security controls. Researchers compare its severity to past high-impact Magento bugs, and Adobe has assigned it a critical rating in APSB25-88.
Risks if not patched are;
-
Take over customer accounts
-
Access sensitive personal data
-
Compromise admin accounts
-
Steal payment details and order information
- GDPR/compliance headaches and reputational damage
The vulnerability has been documented by leading security researchers Sansec and acknowledged by Adobe in their official security bulletin.
Why you need to act quickly
If left unpatched, your store could be exposed to session hijacking attacks, data breaches, and regulatory compliance issues (such as GDPR violations). This puts both your business reputation and your customers at risk.
Our SessionReaper Fix Service
We provide a rapid, professional patching service for Magento 2 stores:
-
Patch Deployment: Apply the official Adobe fix to close the SessionReaper vulnerability
-
Time Required: ~2 hours
-
Downtime: Short maintenance window during patching
-
Cost: £190 + VAT
Secure Your Store Today
Don’t wait until it’s too late. Protect your business and your customers by applying this critical security fix.