2:00pm, 24 October 2025
TLP Rating:
CVE-2025-54236 AKA SessionReaper affecting Adobe Commerce and Magento Open Source
The NCSC would like to draw your attention to an improper input validation vulnerability affecting Adobe Commerce and Magento Open Source products. We are aware of reports detailing exploitation attempts against Magento stores.
What's happening
Systems affected
The following products and versions may be affected by the vulnerability:
Adobe Commerce:
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
- 2.4.4-p15 and earlier
Adobe Commerce B2B:
- 1.5.3-alpha2 and earlier
- 1.5.2-p2 and earlier
- 1.4.2-p7 and earlier
- 1.3.4-p14 and earlier
- 1.3.3-p15 and earlier
Magento Open Source:
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
What to look for
How to tell if you're at risk
You are at risk if you are using an Adobe Commerce or Magento Open Source product version from the affected list above.
What to do
Prevention
Refer to the vendor advisory for patch and mitigation advice:
More information
If you require more information or further support, submit a report on our website or contact us on 0800 114 115.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.