Background
Earlier this month, Adobe disclosed a critical security vulnerability in Adobe Commerce and Magento Open Source - tracked as CVE-2025-54236, or “SessionReaper.” The flaw affects the Commerce REST API and carries a CVSS base score of 9.1, allowing attackers to potentially take over customer accounts without requiring authentication. A hotfix (VULN-32437-2-4-X-patch) and module updates were released immediately, and initial coverage emphasized the urgency of patching.
Since then, new developments have shed light on how merchants are responding and what the ongoing risks look like.
Adoption of the patch
Despite the critical nature of CVE-2025-54236, security researchers estimate that fewer than 30% of Magento stores applied the patch within the first 10 days after release. This slow adoption leaves a significant portion of the ecosystem vulnerable. Historically, once a patch is public, exploit code often follows quickly — attackers can reverse-engineer updates to understand the vulnerability and build attacks.
The lag in patching highlights a common challenge in e-commerce: balancing operational stability with the urgent need to secure customer data.
Adobe’s response and clarifications
Adobe has emphasized that the Web Application Firewall (WAF) rules deployed for Adobe Commerce on Cloud customers are not a replacement for patching. These rules provide a temporary buffer, but the underlying flaw remains unless the hotfix is applied.
In addition, Adobe has released detailed instructions for verifying patch application using the Quality Patches Tool and provided guidance on updating the Custom Attributes Serializable module to version 0.4.0 or higher. For merchants running on-premises or self-hosted versions, careful validation is required to ensure that fixes are both installed and active.
Risks of delayed updates
While no active exploitation has been confirmed at the time of writing, history suggests that public disclosure combined with delayed patching creates a window of opportunity for attackers. Risks include:
-
Reverse-engineered exploits developed from the released patch code.
-
Customer account takeovers, with potential for fraud, identity theft, or data leaks.
-
Reputational damage, as compromised accounts undermine consumer trust.
Because the vulnerability can be exploited without prior credentials, it poses a higher risk than many privilege-dependent flaws.
Recommendations for e-Commerce teams
-
Verify patch status: Confirm that VULN-32437-2-4-X-patch is installed and active.
-
Update modules: Upgrade the Custom Attributes Serializable module to 0.4.0 or newer.
-
Audit logs: Watch for suspicious login attempts or unusual REST API activity.
-
Communicate with stakeholders: Reassure customers that security updates are being applied and monitoring is in place.
-
Stay informed: Follow Adobe’s security bulletins for ongoing advisories.
Conclusion
The disclosure of CVE-2025-54236 is not the end of the story — it is the beginning of a critical period where attackers may attempt to exploit unpatched systems. Merchants who have not yet applied the hotfix remain exposed, despite temporary mitigations like WAF rules.
For e-commerce businesses, patching quickly, validating updates, and maintaining strong monitoring practices are essential.
If your store has not yet been updated or you need assistance applying the latest patches, our team can help ensure your Adobe Commerce or Magento environment is secure and up to date.
