Adobe released a critical security patch (APSB26-49) on May 12, 2026, to address a severe vulnerability in Magento affecting versions from 2.4.4 through 2.4.9-alpha2. The centerpiece of this patch is CVE-2025-54236, known as the SessionReaper flaw, which carries a CVSS severity score of 9.1 and has been actively exploited by threat actors in the wild. This vulnerability allows attackers to bypass authentication mechanisms and gain unauthorized access to REST APIs, enabling them to upload malicious PHP webshells and enumerate system configurations on vulnerable stores.
The stakes are extraordinarily high for Magento store owners who have delayed patching. Research indicates that 62% of Magento installations had not applied the fixes six weeks after public disclosure, leaving hundreds of thousands of merchants exposed. More alarming, security researchers at Sansec estimate that between 16% and 18% of all Magento stores worldwide had already been compromised with backdoors before store owners even began patching—meaning some attacks may have gone undetected for weeks or months.
Table of Contents
- What Is the CVE-2025-54236 SessionReaper Vulnerability?
- How Serious Is the Impact on Magento Stores?
- What Versions Are Affected and What’s at Risk?
- How Do You Patch Your Magento Store?
- Why Many Stores Haven’t Applied Fixes Yet
- Beyond the Patch: Additional Vulnerabilities in APSB26-49
- Planning Your Security Strategy Going Forward
- Conclusion
What Is the CVE-2025-54236 SessionReaper Vulnerability?
CVE-2025-54236 exploits improper input validation in magento‘s `/customer/address_file/upload` endpoint, a component designed to allow customers to upload files related to their account information. The vulnerability does not require authentication to trigger, making it an unauthenticated remote code execution risk. Attackers can craft malicious requests that bypass the intended file validation checks, uploading executable PHP files directly to the web server.
Once uploaded, these webshells grant attackers persistent backdoor access to the entire Magento installation, including access to sensitive customer data, payment processor configurations, and administrative credentials. The exploitation pattern observed in active attacks involves using the vulnerability to first upload a webshell, then leveraging that webshell to explore the Magento configuration files (typically `app/etc/env.php`), which contain database credentials, encryption keys, and payment gateway integration details. Some attackers have also used this vulnerability to inject malicious code directly into core Magento files, ensuring persistence even if the uploaded file is discovered. Unlike vulnerabilities that require insider knowledge or complex multi-step exploitation, SessionReaper is remarkably straightforward to exploit—a single HTTP POST request with a carefully crafted payload is sufficient.
How Serious Is the Impact on Magento Stores?
The severity of this vulnerability cannot be overstated. A CVSS score of 9.1 places it in the “critical” range, reserved for flaws that could compromise the entire integrity of a system. For Magento merchants, this means exposure extends beyond just the store itself—it reaches customer payment data, personal information, and potentially the broader supply chain if the store is part of a larger e-commerce network. Payment card industry (PCI) compliance is automatically compromised on a breached Magento store, and affected merchants face potential notification obligations, forensic investigation costs, and reputational damage.
What makes this vulnerability particularly dangerous is the real-world exploitation timeline. Security researchers documented active exploitation beginning shortly after the vulnerability became public knowledge in late October 2025. This means attackers did not wait for patch adoption rates to drop naturally—they immediately began scanning for vulnerable Magento instances and compromising them. Stores that ran unpatched Magento versions during this window face a high probability of having been targeted. The 62% of unpatched stores six weeks after disclosure means approximately 150,000+ Magento installations potentially vulnerable to ongoing compromise.
What Versions Are Affected and What’s at Risk?
Adobe’s security bulletin identifies the following vulnerable version ranges: all releases up to and including Magento 2.4.4-p15, 2.4.5-p14, 2.4.6-p12, 2.4.7-p7, 2.4.8-p2, and 2.4.9-alpha2. The critical distinction here is that this encompasses both older long-term support (LTS) versions that many established merchants continue running, and newer versions that development teams may still be testing. Version 2.4.6, one of the more widely deployed versions among mid-market merchants, will receive no further security patches after August 2026—meaning stores running 2.4.6 that haven’t already been compromised must upgrade to a newer major version or face unpatched vulnerability exposure.
The version matrix creates a particular challenge for merchants with complex deployment requirements. Some use 2.4.5 or 2.4.6 because they depend on specific extensions that haven’t been certified for 2.4.7 or later versions. Upgrading to patch their vulnerability exposure forces them to either find alternative extensions or maintain custom code forks of older extensions, both expensive propositions. This creates a security debt: the cost of staying on an older version due to extension compatibility may now include the overhead of securing that older version in a post-patch world.
How Do You Patch Your Magento Store?
The immediate action is to apply the APSB26-49 security patch for your specific Magento version. For most merchants using composer-based installations (the standard since Magento 2.3), this involves updating the `magento/product-community-edition` or `magento/product-enterprise-edition` package to the patched version specified in Adobe’s security bulletin, then running `composer update` followed by the appropriate cache-flush and static-files-deployment commands. The patch deployment process itself is relatively straightforward for stores with proper development and staging environments. However, applying the patch is only the first step.
Stores compromised before patching require forensic investigation to identify and remove injected webshells, backdoors, and stolen credentials. This is where many merchants fall short—they apply the patch but skip the investigation phase, meaning attackers may retain access through previously injected malware. A proper incident response involves checking file modification timestamps against known attack windows, reviewing web server logs for suspicious POST requests to the upload endpoint, scanning the database for injected admin accounts, and reviewing payment processor logs for unauthorized transactions or configuration changes. For merchants without in-house security expertise, this forensic work typically requires hiring third-party incident response specialists, adding significant cost and time overhead.
Why Many Stores Haven’t Applied Fixes Yet
The 62% non-adoption rate six weeks after public disclosure reveals several barriers beyond simple negligence. Many merchants operate Magento stores with minimal staff dedicated to infrastructure management—some have a single developer managing multiple stores, or rely on managed hosting providers who didn’t proactively push updates. Development teams prioritizing feature delivery over maintenance often deprioritize security patching until forced by compliance audits or incident response scenarios. For larger organizations, Magento upgrades require testing on staging environments, validation against custom extensions, and scheduled downtime coordination—constraints that can delay patch deployment by weeks or months even after the decision to patch is made.
Another significant factor is information asymmetry. Many Magento store operators don’t subscribe to Adobe security bulletins, relying instead on their hosting provider or extension vendors to notify them. If that notification chain breaks—a hosting provider’s alert goes to spam, an extension vendor doesn’t relay security information—merchants remain unaware of the vulnerability. Additionally, some stores running older, unsupported Magento versions (2.4.3 and earlier) were never even covered by the APSB26-49 patch, leaving them in a particularly precarious position where upgrading is the only viable solution, not simply patching the current version.
Beyond the Patch: Additional Vulnerabilities in APSB26-49
APSB26-49 is not a single-vulnerability patch. Adobe’s bulletin addresses multiple critical, important, and moderate severity vulnerabilities, with some reaching CVSS scores of 8.7. These companion vulnerabilities address various attack vectors including cross-site scripting (XSS) in admin panels, SQL injection possibilities, and other authentication bypass mechanisms.
Stores that apply the patch for CVE-2025-54236 but fail to update due to other vulnerabilities in the bulletin remain exposed to secondary attack paths. The presence of multiple high-severity vulnerabilities in a single bulletin suggests these issues were discovered in parallel during security research or bug bounty program reviews. This clustering of vulnerabilities is common with complex software like Magento, where architectural patterns and legacy code can create multiple similar weaknesses across different modules. Merchants should treat APSB26-49 as an all-or-nothing security update—applying it means resolving all packaged vulnerabilities, not cherry-picking the one most relevant to their deployment.
Planning Your Security Strategy Going Forward
The SessionReaper vulnerability and its exploitation timeline highlight a structural challenge in open-source e-commerce: the lag between vulnerability disclosure and merchant patch adoption creates real-world exploit windows lasting weeks or months. For merchants planning infrastructure beyond this patch cycle, security should be a primary architecture driver. Segmenting Magento installations behind web application firewalls (WAFs) configured to block suspicious POST requests to upload endpoints can provide a compensating control for merchants who have a deployment lag. Monitoring tools that detect unusual file creation patterns or suspicious database activity can catch compromised systems even if webshells aren’t discovered during initial scans.
Version planning deserves explicit attention. Magento’s versioning schedule—with each major version entering extended support periods—means stores running 2.4.4 or 2.4.5 today will face a security patch timeline window that closes in the next 12-18 months. Merchant teams should define an upgrade cadence that prevents ever reaching an unsupported status, rather than delaying upgrades until forced by end-of-life deadlines. This requires budgeting development effort for upgrades as regular operating expense, not one-off projects.
Conclusion
Adobe’s May 2026 security patch addresses a severe vulnerability that has already compromised thousands of Magento stores in the wild. The CVE-2025-54236 SessionReaper flaw, combined with low patch adoption rates and the presence of additional vulnerabilities in APSB26-49, creates an urgent security posture for Magento merchants.
If your store runs any version between 2.4.4 and 2.4.9-alpha2 and hasn’t applied the patch, this should be a priority action item for your operations team. Beyond the immediate patching requirement, merchants should adopt a proactive security framework that includes regular vulnerability scanning, ongoing monitoring of Magento security bulletins, and a documented upgrade strategy for reaching newer major versions before support windows close. For stores already compromised, bringing in incident response expertise is essential—the patch stops new exploitation, but removing existing backdoors requires investigation and cleanup that patching alone cannot accomplish.
