100% Client Coverage for Critical Adobe 'SessionReaper' Security Patch APSB25-88/CVE-2025-54236
11 September 2025
On 9 September 2025, Adobe deviated from its regular release cycle to issue an urgent patch for a critical severity (9.1) vulnerability affecting all versions of Adobe Commerce and Magento. Tracked as CVE-2025-54236 and named SessionReaper, the flaw allows customer account takeover and unauthenticated remote control execution under certain conditions.
SessionReaper is considered one of the most serious Magento security issues to date, and has been compared to high-profile vulnerabilities such as Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024). In past incidents, thousands of stores were compromised, in some cases within mere hours of the vulnerability being disclosed.
We first learned of the patch through Sansec’s report of its pending release on Sep 8th. Adobe had privately notified selected Commerce customers, however Open Source clients were left uninformed. While we knew an emergency update was on the horizon, Adobe does not share full details in advance, so the severity wasn’t clear until the official announcement.
Timeline
Aug 22nd: Adobe internally discusses emergency fix
Sep 4th: Adobe privately announces emergency fix to selected Commerce customers
Sep 9th: Adobe releases emergency patch for SessionReaper - CVE-2025-54236 in APSB25-88
(Source: Sansec)
To ensure our customers were prepared, we proactively raised support tickets ahead of time. This allowed us to respond immediately once details became available, prioritising customer protection.
Once the severity became clear, our team acted immediately. Within minutes of the release, we informed customers of the risk and scheduled the patch implementation.
We began by coordinating with our development team and applying the update to development environments. From there, our developers and account managers collaborated to thoroughly test and validate the patch, confirming it was safe for production.
We're proud to report another 100% success rate – within 24 hours all clients were patched, with no issues following deployment to live environments.
If your agency hasn't been in touch about this patch, we strongly recommend reaching out to them. It's also worth asking why a more proactive approach wasn't taken. This is a critical update, your Magento site and customer data could be at serious risk without it.
INSIGHTS
01 September 2025
Fired Earth Shopify Plus website design shortlisted for UK eCommerce Awards 2025
07 August 2025
How we added Microsoft Ads consent tracking to Magento with Absolute Consent Mode
CASE STUDIES
Pantherella
Magento 1 migration, front-end development, and Magento 2 support for sock manufacturer Pantherella. Learn more about our work with Pantherella.
-
Magento -
-
Support
Fired Earth UX Improvements
Absolute worked with Fired Earth to deliver a programme of UX improvements.
-
Magento -
-
Support
Furnify
A modern homepage redesign with customer UX in mind, from design stage to using Magento 2’s powerful pagebuilder to make use of the latest functionalities.
-
Magento -
-
Support
SGS Engineering
Magento 1 to Magento 2 Open Source Migration Success for SGS Engineering.
-
Magento -
-
Support
Fired Earth
A design and user experience study for a legendary lifestyle brand plus migrating their ecommerce store from Magento1 Enterprise to M2 Commerce Edition.
-
Magento -
-
Support
Embody
Driving revenue and improving overall performance for Embody, using our expertise in Magento, eCommerce, UX, and web design and development.
-
Magento -
-
Support
CONTACT
Are you excited to get your next project up and running? Or are you unsure what is dragging you down?
Contact Us to discuss how we can help increase sales and boost your online performance!
Enter your email address to sign up to our newsletter, featuring case studies, insights, industry news and much more.
If this is something you would like help with, please get in touch.