Adobe Commerce/Magento "SessionReaper" RCE (CVE-2025-54236)
Description
Adobe Commerce and Magento Open Source contain a critical deserialization vulnerability (CVE-2025-54236) that allows unauthenticated attackers to bypass authentication mechanisms by sending maliciously crafted requests. When chained with the platform's file upload capabilities, this vulnerability enables attackers to achieve remote code execution on affected systems without requiring valid credentials.
Remediation
Apply security patches immediately by upgrading to the latest patched versions as specified in Adobe Security Bulletin APSB25-88. For Adobe Commerce: upgrade to version 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, or 2.4.4-p11 and later. For Magento Open Source: upgrade to version 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, or 2.4.4-p11 and later. If immediate patching is not possible, implement the following temporary mitigations: (1) restrict access to administrative interfaces using IP allowlisting, (2) implement web application firewall (WAF) rules to detect and block deserialization attack patterns, and (3) monitor system logs for suspicious authentication bypass attempts and unexpected file uploads. Verify the integrity of your installation after patching and review access logs for any signs of prior exploitation.