Adobe has released an emergency patch for a critical bug named "SessionReaper" (CVE-2025-54236) that affects all Magento/Commerce stores. This vulnerability allows unauthenticated attackers to bypass security measures and take over user accounts. It has a high severity score of 9.1 out of 10 on the CVSS scale. Users are strongly advised to apply the patch immediately to protect their systems. If immediate patching is not feasible, using a Web Application Firewall (WAF) as a secondary protection layer can help mitigate the risk. Although the tweet does not specify which WAF vendors can protect against this bypass, any robust WAF that can detect and block session manipulation and account takeover attempts may offer some defense. Always ensure your WAF is up to date with the latest security rules to maximize protection.
Original tweet: https://twitter.com/cyberkendra/status/1965460561984192603