We’ve Patched Every Shop We Manage: Here’s Why You Should Too
A mere few weeks after Adobe released an emergency fix for SessionReaper (CVE-2025-54236), attacks are now widespread, and only 38% of shops are patched, leaving roughly 3 in 5 Magento/Adobe Commerce sites exposed. That is not good!
We’ve finished patching and validating every shop we manage. If you haven’t patched yet, this is your heads‑up and your how‑to.
What is SessionReaper?
No it’s not some Halloween hangover – SessionReaper is a critical input‑validation flaw in the Commerce REST API that lets attackers hijack authenticated sessions without user interaction. In real‑world attacks, it is used to:
- Take over customer or admin accounts (account‑takeover)
- Place fraudulent orders or alter pricing
- Drop webshells to gain persistent access and pivot deeper
- Exfiltrate customer data and abuse saved payment methods
If your storefront exposes the REST API (most do), you’re in scope.
Why the noise now?
- Patch released: 9 September 2025
- Exploit details + PoC circulated: mid‑to‑late October
- Active exploitation observed: last few weeks and ongoing
When exploit techniques become public, automated scanning starts. Unpatched sites get swept up first.
“But patching broke things last time…”
We hear this concern a lot — and it’s a key reason many shops delay security updates. Common worries include:
- API/Extension compatibility: The fix tightens request handling; brittle customisations can fail.
- Peak‑season risk: Teams avoid changes near campaigns or Black Friday or pre Christmas.
- Resource constraints: Patching + testing isn’t a one‑click job.
Those concerns are real — and solvable with a disciplined rollout.
What Big Eye Deers have done:
- Impact assessment & inventory
- Mapped affected versions across all client shops and integrations.
- Staged patching
- Applied Adobe’s patch/updated release in staging first; then production in maintenance windows.
- Regression testing
- Checkout, customer login/registration, carts, shipping rules, tax, promotions, custom API consumers, and key extensions.
- Compensating controls (belt‑and‑braces)
- Tightened WAF rules on REST endpoints
- Rate‑limited sensitive API routes
- Temporarily disabled unused API integrations
- Threat hunt & hardening
- Scanned for webshells, anomalous admin users, modified templates, and cron changes
- Rotated API keys, tokens, and admin passwords
- Enabled additional request logging on API endpoints
- Monitoring
- Enhanced alerting for suspicious login patterns, sudden spikes in failed requests, and filesystem changes
Result: All Big Eye Deers‑managed shops are patched, tested, and monitored.
What you should do now (owner’s checklist)
1) Patch immediately
- Apply the latest Adobe Commerce/Magento security update for CVE‑2025‑54236, following security bulletin APSB25-88.
- If you can’t patch today, employ a trusted WAF and disable unused integrations as a temporary control.
2) Hunt for compromise (assume breach if you’ve been exposed for weeks)
- Search web roots for new/odd .php files; check var/log/ and /pub for unexpected changes.
- Review admin user list and recent permission changes.
3) Harden
- Add WAF rules for REST API routes; enable rate limiting.
- Disable guest access to sensitive endpoints.
- Ensure 2FA on all admin accounts.
- Rotate API keys, integration tokens, and admin passwords.
4) Monitor
- Turn on structured API request logging; set alerts on spikes in 4xx/5xx traffic and odd user agents.
FAQ
Are Commerce Cloud sites safe by default? Cloud WAF helps, but it’s not a substitute for patching. Apply the update.
We don’t use the REST API; are we safe? Normal customer journeys use the REST API for cart sessions and checkout so locking down completely isn’t an option. Ensure you have applied the latest patches.
We patched, do we still need to hunt? Yes. Patch stops new break‑ins; it doesn’t eject existing footholds.
Need help fast?
If you’re short on time or worried about downtime, we can patch, test, and harden your shop with zero‑drama change windows. We’ll also run a post‑exploitation sweep to ensure no lingering backdoors.
Bottom line: With active exploitation and only ~38% patch coverage so far, waiting is the riskiest option. If we manage your shop, you’re covered. If we don’t, we can help today.
Adobe Commerce (Magento)
Formerly known as Magento, Adobe Commerce is built for complex catalogues, integrations, and long term growth. We design and develop stable, scalable stores that support demanding eCommerce requirements, including multi-store setups, complex pricing, and Hyva based performance improvements.
Bespoke Build
We design and build custom eCommerce platforms for businesses with complex workflows, integrations, or non standard requirements. Built from scratch around your business needs using Laravel and modern architectures.
Working with brands across the UK from our offices in Cardiff and Exeter, you deal directly with a senior team of designers and developers specialising in Shopify, Magento, WordPress and bespoke eCommerce platforms.
We focus on commercial outcomes. Better conversion rates, strong SEO foundations and eCommerce platforms that continue to improve long after launch.