Active Exploitation of SessionReaper Vulnerability in Adobe Magento
Hackers have begun actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (Magento) platforms, with security firm Sansec detecting and blocking hundreds of real-world attack attempts. The flaw, which allows attackers to take control of account sessions via the Commerce REST API, remains unpatched in approximately 62% of Magento stores, leaving thousands of e-commerce sites exposed to remote code execution and account takeover attacks. Technical analyses and proof-of-concept exploit code have been published, further increasing the risk of mass exploitation.
Adobe issued an emergency patch for SessionReaper six weeks prior to the observed attacks, but patch adoption has been slow. Attackers are leveraging PHP webshells and probes to exploit the vulnerability, with most attacks originating from a handful of IP addresses. Security experts warn that the public availability of exploit details and the high impact of the flaw make rapid patching and the activation of web application firewalls critical for all affected organizations.
Timeline
Oct 22, 2025
Sansec warns most Magento stores remain unpatched
Roughly six weeks after the patch, Sansec said only about 38% of Magento stores had patched, leaving about 62% still vulnerable. Researchers warned that low patch adoption and public exploit details could enable mass automated exploitation.
Oct 22, 2025
Adobe updates advisory to confirm in-the-wild exploitation
After the patch release, Adobe later updated its security advisory to acknowledge that CVE-2025-54236 was being exploited in the wild. This update was referenced by later reporting on the active attacks.
Oct 22, 2025
Sansec detects over 250 SessionReaper exploitation attempts
Sansec reported blocking more than 250 exploitation attempts against multiple Magento/Adobe Commerce stores in a single day, with payloads including PHP webshells and phpinfo probes from multiple IP addresses. The activity marked clear in-the-wild exploitation of CVE-2025-54236.
Oct 22, 2025
Technical analysis and PoC for SessionReaper are published
Assetnote/Searchlight Cyber published a reverse-engineering-based technical analysis and proof-of-concept for SessionReaper, describing how the bug could lead to unauthenticated remote code execution in some configurations. Multiple sources say public exploit details increased the likelihood of rapid weaponization.
Sep 9, 2025
Adobe releases emergency patch for SessionReaper
Adobe released a hotfix/emergency update for CVE-2025-54236 to address the SessionReaper flaw. Reports place the patch release on September 9, 2025.
Sep 8, 2025
Adobe discloses CVE-2025-54236 advisory
Adobe publicly disclosed CVE-2025-54236, a critical improper input validation flaw in Adobe Commerce and Magento Open Source that can enable customer session takeover via the REST API. Multiple reports cite September 8, 2025 as the disclosure date.
Sep 8, 2025
Researcher responsibly discloses SessionReaper to Adobe
Security researcher Blaklis responsibly disclosed the SessionReaper vulnerability, later tracked as CVE-2025-54236, to Adobe before public exploitation was reported. The disclosure prompted Adobe to prepare an emergency fix.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Sources
5 more from sources like the hacker news, help net security, dark reading, bleeping computer and sansec
Related Stories
Critical Magento SessionReaper Vulnerability (CVE-2025-54236) Enables Session Hijacking and Remote Code Execution
A critical vulnerability in the Magento ecommerce platform, identified as CVE-2025-54236 and dubbed 'SessionReaper,' has been actively exploited in the wild. The flaw allows attackers to hijack user sessions and achieve unauthenticated remote code execution (RCE) on affected Magento installations. Security researchers observed a surge in exploitation attempts following the public release of a proof-of-concept (PoC) exploit, with attackers deploying web shells and conducting reconnaissance using classic PHP probes. Adobe released an emergency patch for the vulnerability, and organizations are urged to apply it immediately to mitigate risk. Magento's widespread use and history of critical vulnerabilities make this flaw particularly attractive to threat actors. Exploitation attempts have targeted over 130 hosts from multiple IP addresses within 48 hours of the PoC's publication. Web application firewalls, such as Akamai's Adaptive Security Engine, have been effective in mitigating some exploit attempts by default. The vulnerability's critical nature and active exploitation highlight the urgent need for patching and enhanced monitoring of Magento deployments.
1 months agoMass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against **Magento** e-commerce deployments by abusing **CVE-2025-54236** (aka **SessionReaper**), an authentication/session management flaw that allows attackers to bypass login controls by **reusing improperly invalidated session tokens**. Reporting based on an **Oasis Security** investigation described large-scale scanning that identified **1,000+ exposed/vulnerable Magento Commerce APIs** and confirmed compromises of **200+ websites** (with one count citing **216 victim sites**), indicating broad weaponization by multiple actors across regions. After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve **root-level control** of affected Linux servers, enabling follow-on actions such as deploying **web shells** for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on **eSkimming/Magecart** activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of **550** previously compromised sites found **18%** still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
1 months ago
Critical Adobe Commerce Session Hijack Flaw Added to KEV After Active Exploitation
Adobe released an out-of-band fix for **CVE-2025-54236**, a critical improper input validation flaw in **Adobe Commerce**, **Adobe Commerce B2B**, and **Magento Open Source** that allows unauthenticated attackers to take over user sessions through vulnerable session-handling and Web API components. The bug, dubbed **"SessionReaper"** by Sansec, carries a reported **CVSS 9.1** rating and can lead to account hijacking, exposure of customer data, fraudulent orders, administrative access, and in some scenarios potentially remote code execution. Affected releases span multiple 2.4.x branches, including versions from **2.4.4 through 2.4.7** and other listed builds and earlier releases. Security guidance escalated after reports said the flaw was being actively exploited in the wild and added to **CISA's Known Exploited Vulnerabilities** catalog. Adobe published remediation details in **APSB25-88** and shipped patched versions, while defenders were urged to apply the vendor fix immediately, verify patch status, review logs for anomalous session activity, tighten administrative access, and increase **WAF**, API, and **SIEM** monitoring. Advisories also warned that leaked hotfix details and unofficial fixes could accelerate attacker weaponization or create additional risk.
1 weeks ago