Active Exploitation of SessionReaper Vulnerability in Adobe Magento
Hackers have begun actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (Magento) platforms, with security firm Sansec detecting and blocking hundreds of real-world attack attempts. The flaw, which allows attackers to take control of account sessions via the Commerce REST API, remains unpatched in approximately 62% of Magento stores, leaving thousands of e-commerce sites exposed to remote code execution and account takeover attacks. Technical analyses and proof-of-concept exploit code have been published, further increasing the risk of mass exploitation.
Adobe issued an emergency patch for SessionReaper six weeks prior to the observed attacks, but patch adoption has been slow. Attackers are leveraging PHP webshells and probes to exploit the vulnerability, with most attacks originating from a handful of IP addresses. Security experts warn that the public availability of exploit details and the high impact of the flaw make rapid patching and the activation of web application firewalls critical for all affected organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Sansec warns most Magento stores remain unpatched
Roughly six weeks after the patch, Sansec said only about 38% of Magento stores had patched, leaving about 62% still vulnerable. Researchers warned that low patch adoption and public exploit details could enable mass automated exploitation.
Adobe updates advisory to confirm in-the-wild exploitation
After the patch release, Adobe later updated its security advisory to acknowledge that CVE-2025-54236 was being exploited in the wild. This update was referenced by later reporting on the active attacks.
Sansec detects over 250 SessionReaper exploitation attempts
Sansec reported blocking more than 250 exploitation attempts against multiple Magento/Adobe Commerce stores in a single day, with payloads including PHP webshells and phpinfo probes from multiple IP addresses. The activity marked clear in-the-wild exploitation of CVE-2025-54236.
Technical analysis and PoC for SessionReaper are published
Assetnote/Searchlight Cyber published a reverse-engineering-based technical analysis and proof-of-concept for SessionReaper, describing how the bug could lead to unauthenticated remote code execution in some configurations. Multiple sources say public exploit details increased the likelihood of rapid weaponization.
Adobe releases emergency patch for SessionReaper
Adobe released a hotfix/emergency update for CVE-2025-54236 to address the SessionReaper flaw. Reports place the patch release on September 9, 2025.
Adobe discloses CVE-2025-54236 advisory
Adobe publicly disclosed CVE-2025-54236, a critical improper input validation flaw in Adobe Commerce and Magento Open Source that can enable customer session takeover via the REST API. Multiple reports cite September 8, 2025 as the disclosure date.
Researcher responsibly discloses SessionReaper to Adobe
Security researcher Blaklis responsibly disclosed the SessionReaper vulnerability, later tracked as CVE-2025-54236, to Adobe before public exploitation was reported. The disclosure prompted Adobe to prepare an emergency fix.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
SessionReaper Exploits Erupt as Magento Sites Lag on Patching
thecyberexpress.com
Open sourceThousands of online stores at risk as SessionReaper attacks spread | Malwarebytes
malwarebytes.com
Open sourceAttacks involving Adobe Commerce SessionReaper vulnerability ongoing | brief | SC Media
scworld.com
Open sourceCritical Adobe Commerce, Magento vulnerability under attack (CVE-2025-54236) - Help Net Security
helpnetsecurity.com
Open sourceSessionReaper (CVE-2025-54236): Critical Adobe Commerce Vulnerability Actively Exploited
socradar.io
Open sourceOver 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw
thehackernews.com
Open sourceHackers exploiting critical "SessionReaper" flaw in Adobe Magento
bleepingcomputer.com
Open sourceSessionReaper attacks have started, 3 in 5 stores still vulnerable | Sansec
sansec.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Magento SessionReaper Vulnerability (CVE-2025-54236) Enables Session Hijacking and Remote Code Execution
A critical vulnerability in the Magento ecommerce platform, identified as CVE-2025-54236 and dubbed 'SessionReaper,' has been actively exploited in the wild. The flaw allows attackers to hijack user sessions and achieve unauthenticated remote code execution (RCE) on affected Magento installations. Security researchers observed a surge in exploitation attempts following the public release of a proof-of-concept (PoC) exploit, with attackers deploying web shells and conducting reconnaissance using classic PHP probes. Adobe released an emergency patch for the vulnerability, and organizations are urged to apply it immediately to mitigate risk. Magento's widespread use and history of critical vulnerabilities make this flaw particularly attractive to threat actors. Exploitation attempts have targeted over 130 hosts from multiple IP addresses within 48 hours of the PoC's publication. Web application firewalls, such as Akamai's Adaptive Security Engine, have been effective in mitigating some exploit attempts by default. The vulnerability's critical nature and active exploitation highlight the urgent need for patching and enhanced monitoring of Magento deployments.
Mar 21, 2026Mass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against **Magento** e-commerce deployments by abusing **CVE-2025-54236** (aka **SessionReaper**), an authentication/session management flaw that allows attackers to bypass login controls by **reusing improperly invalidated session tokens**. Reporting based on an **Oasis Security** investigation described large-scale scanning that identified **1,000+ exposed/vulnerable Magento Commerce APIs** and confirmed compromises of **200+ websites** (with one count citing **216 victim sites**), indicating broad weaponization by multiple actors across regions. After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve **root-level control** of affected Linux servers, enabling follow-on actions such as deploying **web shells** for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on **eSkimming/Magecart** activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of **550** previously compromised sites found **18%** still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
Mar 21, 2026
Critical Adobe Commerce Session Hijack Flaw Added to KEV After Active Exploitation
Adobe released an out-of-band fix for **CVE-2025-54236**, a critical improper input validation flaw in **Adobe Commerce**, **Adobe Commerce B2B**, and **Magento Open Source** that allows unauthenticated attackers to take over user sessions through vulnerable session-handling and Web API components. The bug, dubbed **"SessionReaper"** by Sansec, carries a reported **CVSS 9.1** rating and can lead to account hijacking, exposure of customer data, fraudulent orders, administrative access, and in some scenarios potentially remote code execution. Affected releases span multiple 2.4.x branches, including versions from **2.4.4 through 2.4.7** and other listed builds and earlier releases. Security guidance escalated after reports said the flaw was being actively exploited in the wild and added to **CISA's Known Exploited Vulnerabilities** catalog. Adobe published remediation details in **APSB25-88** and shipped patched versions, while defenders were urged to apply the vendor fix immediately, verify patch status, review logs for anomalous session activity, tighten administrative access, and increase **WAF**, API, and **SIEM** monitoring. Advisories also warned that leaked hotfix details and unofficial fixes could accelerate attacker weaponization or create additional risk.
May 16, 2026