Critical Magento SessionReaper Vulnerability (CVE-2025-54236) Enables Session Hijacking and Remote Code Execution
A critical vulnerability in the Magento ecommerce platform, identified as CVE-2025-54236 and dubbed 'SessionReaper,' has been actively exploited in the wild. The flaw allows attackers to hijack user sessions and achieve unauthenticated remote code execution (RCE) on affected Magento installations. Security researchers observed a surge in exploitation attempts following the public release of a proof-of-concept (PoC) exploit, with attackers deploying web shells and conducting reconnaissance using classic PHP probes. Adobe released an emergency patch for the vulnerability, and organizations are urged to apply it immediately to mitigate risk.
Magento's widespread use and history of critical vulnerabilities make this flaw particularly attractive to threat actors. Exploitation attempts have targeted over 130 hosts from multiple IP addresses within 48 hours of the PoC's publication. Web application firewalls, such as Akamai's Adaptive Security Engine, have been effective in mitigating some exploit attempts by default. The vulnerability's critical nature and active exploitation highlight the urgent need for patching and enhanced monitoring of Magento deployments.
Timeline
Oct 29, 2025
Researchers report active exploitation of CVE-2025-54236
By late October 2025, security reporting stated that CVE-2025-54236 was being actively exploited in the wild against Magento installations. Reported impacts included session hijacking and unauthenticated remote code execution.
Oct 22, 2025
Exploitation activity spikes after PoC release
Within 48 hours starting October 22, 2025, Akamai observed more than 300 exploit attempts against over 130 hosts from 11 IP addresses. The activity included reconnaissance probes and web shell payloads for persistence, indicating active in-the-wild exploitation.
Oct 22, 2025
Public PoC exploit for CVE-2025-54236 is released
A public proof-of-concept exploit for CVE-2025-54236 was released on October 22, 2025. Reporting indicated the PoC showed the bug could be leveraged not only for session hijacking but also for unauthenticated remote code execution.
Sep 9, 2025
Adobe discloses CVE-2025-54236 and issues emergency patch
Adobe disclosed the critical Magento/Adobe Commerce vulnerability CVE-2025-54236 on September 9, 2025 and released an emergency patch. The flaw was described as improper input validation that could enable session takeover.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Active Exploitation of SessionReaper Vulnerability in Adobe Magento
Hackers have begun actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (Magento) platforms, with security firm Sansec detecting and blocking hundreds of real-world attack attempts. The flaw, which allows attackers to take control of account sessions via the Commerce REST API, remains unpatched in approximately 62% of Magento stores, leaving thousands of e-commerce sites exposed to remote code execution and account takeover attacks. Technical analyses and proof-of-concept exploit code have been published, further increasing the risk of mass exploitation. Adobe issued an emergency patch for SessionReaper six weeks prior to the observed attacks, but patch adoption has been slow. Attackers are leveraging PHP webshells and probes to exploit the vulnerability, with most attacks originating from a handful of IP addresses. Security experts warn that the public availability of exploit details and the high impact of the flaw make rapid patching and the activation of web application firewalls critical for all affected organizations.
1 months agoMass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against **Magento** e-commerce deployments by abusing **CVE-2025-54236** (aka **SessionReaper**), an authentication/session management flaw that allows attackers to bypass login controls by **reusing improperly invalidated session tokens**. Reporting based on an **Oasis Security** investigation described large-scale scanning that identified **1,000+ exposed/vulnerable Magento Commerce APIs** and confirmed compromises of **200+ websites** (with one count citing **216 victim sites**), indicating broad weaponization by multiple actors across regions. After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve **root-level control** of affected Linux servers, enabling follow-on actions such as deploying **web shells** for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on **eSkimming/Magecart** activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of **550** previously compromised sites found **18%** still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
1 months ago
Critical Adobe Commerce Session Hijack Flaw Added to KEV After Active Exploitation
Adobe released an out-of-band fix for **CVE-2025-54236**, a critical improper input validation flaw in **Adobe Commerce**, **Adobe Commerce B2B**, and **Magento Open Source** that allows unauthenticated attackers to take over user sessions through vulnerable session-handling and Web API components. The bug, dubbed **"SessionReaper"** by Sansec, carries a reported **CVSS 9.1** rating and can lead to account hijacking, exposure of customer data, fraudulent orders, administrative access, and in some scenarios potentially remote code execution. Affected releases span multiple 2.4.x branches, including versions from **2.4.4 through 2.4.7** and other listed builds and earlier releases. Security guidance escalated after reports said the flaw was being actively exploited in the wild and added to **CISA's Known Exploited Vulnerabilities** catalog. Adobe published remediation details in **APSB25-88** and shipped patched versions, while defenders were urged to apply the vendor fix immediately, verify patch status, review logs for anomalous session activity, tighten administrative access, and increase **WAF**, API, and **SIEM** monitoring. Advisories also warned that leaked hotfix details and unofficial fixes could accelerate attacker weaponization or create additional risk.
1 weeks ago