Blog Security Research The Grim SessionReaper (CVE-2025-54236) Comes to Collect for Halloween Executive summary Akamai security researchers have observed activity in the wild of the critical improper input vulnerability in Magento dubbed SessionReaper (CVE-2025-54236). The flaw was originally made known on September 9, 2025, in a publication by Adobe that included an emergency patch. On October 22, 2025, an exploit proof of concept (POC) was made public, sparking a dramatic increase in activity.   Magento’s ubiquity and history of critical vulnerabilities make it an attractive target for threat actors.  Given the widespread use of Magento and the critical nature of this vulnerability, organizations should apply the patches provided by Adobe as soon as possible .  Akamai Adaptive Security Engine , our web application firewall (WAF), has been mitigating exploit attempts by default. What is SessionReaper?…