Mass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against Magento e-commerce deployments by abusing CVE-2025-54236 (aka SessionReaper), an authentication/session management flaw that allows attackers to bypass login controls by reusing improperly invalidated session tokens. Reporting based on an Oasis Security investigation described large-scale scanning that identified 1,000+ exposed/vulnerable Magento Commerce APIs and confirmed compromises of 200+ websites (with one count citing 216 victim sites), indicating broad weaponization by multiple actors across regions.
After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve root-level control of affected Linux servers, enabling follow-on actions such as deploying web shells for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on eSkimming/Magecart activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of 550 previously compromised sites found 18% still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
Timeline
Jan 30, 2026
Oasis Security disclosed active exploitation and urged immediate patching
By January 30, 2026, Oasis Security publicly reported the ongoing mass exploitation of SessionReaper and warned administrators to patch immediately and audit logs for suspicious session token activity. The disclosure highlighted the risk to customer and payment data from continued attacks.
Jan 30, 2026
Researchers linked campaign infrastructure to servers in Finland and Hong Kong
Oasis Security identified active command-and-control infrastructure associated with the exploitation activity, including an IP address in Finland and additional infrastructure in Hong Kong. The findings provided infrastructure indicators connected to the ongoing campaign.
Jan 30, 2026
Attackers deployed web shells on Magento sites in Canada and Japan
In separate incidents tied to the campaign, attackers installed web shells on compromised Magento sites in Canada and Japan to maintain persistence and execute remote commands. Investigators also observed attackers searching systems for sensitive files, including user accounts and credentials.
Jan 30, 2026
One attack wave compromised more than 200 Magento websites
A documented wave of the campaign resulted in root-level compromise of more than 200 websites worldwide. Attackers used the authentication bypass to take over Magento environments at scale.
Jan 30, 2026
SessionReaper flaw left Magento session tokens reusable after logout
The vulnerability CVE-2025-54236, dubbed "SessionReaper," affected Magento session handling by allowing improperly invalidated session tokens to be reused for authentication bypass. Successful exploitation enabled session hijacking, administrative access without passwords, and potential full system compromise.
Jan 1, 2026
Mass exploitation campaign targeted Magento sites worldwide in January 2026
During January 2026, multiple intrusion sets actively exploited CVE-2025-54236 against Magento e-commerce sites across several regions. Oasis Security reported hundreds of compromised stores and identified 1,460 vulnerable Magento Commerce APIs exposed to attack.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Critical Magento SessionReaper Vulnerability (CVE-2025-54236) Enables Session Hijacking and Remote Code Execution
A critical vulnerability in the Magento ecommerce platform, identified as CVE-2025-54236 and dubbed 'SessionReaper,' has been actively exploited in the wild. The flaw allows attackers to hijack user sessions and achieve unauthenticated remote code execution (RCE) on affected Magento installations. Security researchers observed a surge in exploitation attempts following the public release of a proof-of-concept (PoC) exploit, with attackers deploying web shells and conducting reconnaissance using classic PHP probes. Adobe released an emergency patch for the vulnerability, and organizations are urged to apply it immediately to mitigate risk. Magento's widespread use and history of critical vulnerabilities make this flaw particularly attractive to threat actors. Exploitation attempts have targeted over 130 hosts from multiple IP addresses within 48 hours of the PoC's publication. Web application firewalls, such as Akamai's Adaptive Security Engine, have been effective in mitigating some exploit attempts by default. The vulnerability's critical nature and active exploitation highlight the urgent need for patching and enhanced monitoring of Magento deployments.
1 months ago
Active Exploitation of SessionReaper Vulnerability in Adobe Magento
Hackers have begun actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (Magento) platforms, with security firm Sansec detecting and blocking hundreds of real-world attack attempts. The flaw, which allows attackers to take control of account sessions via the Commerce REST API, remains unpatched in approximately 62% of Magento stores, leaving thousands of e-commerce sites exposed to remote code execution and account takeover attacks. Technical analyses and proof-of-concept exploit code have been published, further increasing the risk of mass exploitation. Adobe issued an emergency patch for SessionReaper six weeks prior to the observed attacks, but patch adoption has been slow. Attackers are leveraging PHP webshells and probes to exploit the vulnerability, with most attacks originating from a handful of IP addresses. Security experts warn that the public availability of exploit details and the high impact of the flaw make rapid patching and the activation of web application firewalls critical for all affected organizations.
1 months ago
Magecart Campaign Hides Magento Card Skimmer in 1x1 SVG Images
A large Magecart campaign compromised nearly 100 Magento and Adobe Commerce stores by hiding a full credit-card skimmer inside a **1x1-pixel SVG** embedded directly in checkout page HTML. Researchers said the malware stores its payload in the SVG `onload` handler, decodes it with `atob()`, and runs it via `setTimeout`, allowing it to evade scanners that typically look for externally loaded scripts. When shoppers click checkout, the skimmer displays a convincing fake **"Secure Checkout"** overlay that captures billing and payment details before validating card numbers with the **Luhn algorithm**. The stolen data is exfiltrated as XOR-encrypted, base64-obfuscated JSON to attacker-controlled infrastructure, in some cases disguised as Facebook analytics traffic. Sansec linked the infections to exploitation of the **PolyShell** vulnerability, which affects Magento Open Source and Adobe Commerce stable version 2 deployments and can enable unauthenticated code execution and account takeover. Defenders were urged to hunt for hidden SVG tags and suspicious `onload` code, check for the `_mgx_cv` localStorage key, and block outbound traffic to the identified attacker infrastructure, including domains resolving to **`23.137.249.67`** hosted by IncogNet in the Netherlands.
3 weeks ago