Critical Magento SessionReaper Vulnerability (CVE-2025-54236) Enables Session Hijacking and Remote Code Execution
A critical vulnerability in the Magento ecommerce platform, identified as CVE-2025-54236 and dubbed 'SessionReaper,' has been actively exploited in the wild. The flaw allows attackers to hijack user sessions and achieve unauthenticated remote code execution (RCE) on affected Magento installations. Security researchers observed a surge in exploitation attempts following the public release of a proof-of-concept (PoC) exploit, with attackers deploying web shells and conducting reconnaissance using classic PHP probes. Adobe released an emergency patch for the vulnerability, and organizations are urged to apply it immediately to mitigate risk.
Magento's widespread use and history of critical vulnerabilities make this flaw particularly attractive to threat actors. Exploitation attempts have targeted over 130 hosts from multiple IP addresses within 48 hours of the PoC's publication. Web application firewalls, such as Akamai's Adaptive Security Engine, have been effective in mitigating some exploit attempts by default. The vulnerability's critical nature and active exploitation highlight the urgent need for patching and enhanced monitoring of Magento deployments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers report active exploitation of CVE-2025-54236
By late October 2025, security reporting stated that CVE-2025-54236 was being actively exploited in the wild against Magento installations. Reported impacts included session hijacking and unauthenticated remote code execution.
Exploitation activity spikes after PoC release
Within 48 hours starting October 22, 2025, Akamai observed more than 300 exploit attempts against over 130 hosts from 11 IP addresses. The activity included reconnaissance probes and web shell payloads for persistence, indicating active in-the-wild exploitation.
Public PoC exploit for CVE-2025-54236 is released
A public proof-of-concept exploit for CVE-2025-54236 was released on October 22, 2025. Reporting indicated the PoC showed the bug could be leveraged not only for session hijacking but also for unauthenticated remote code execution.
Adobe discloses CVE-2025-54236 and issues emergency patch
Adobe disclosed the critical Magento/Adobe Commerce vulnerability CVE-2025-54236 on September 9, 2025 and released an emergency patch. The flaw was described as improper input validation that could enable session takeover.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of SessionReaper Vulnerability in Adobe Magento
Hackers have begun actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (Magento) platforms, with security firm Sansec detecting and blocking hundreds of real-world attack attempts. The flaw, which allows attackers to take control of account sessions via the Commerce REST API, remains unpatched in approximately 62% of Magento stores, leaving thousands of e-commerce sites exposed to remote code execution and account takeover attacks. Technical analyses and proof-of-concept exploit code have been published, further increasing the risk of mass exploitation. Adobe issued an emergency patch for SessionReaper six weeks prior to the observed attacks, but patch adoption has been slow. Attackers are leveraging PHP webshells and probes to exploit the vulnerability, with most attacks originating from a handful of IP addresses. Security experts warn that the public availability of exploit details and the high impact of the flaw make rapid patching and the activation of web application firewalls critical for all affected organizations.
Mar 21, 2026Mass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against **Magento** e-commerce deployments by abusing **CVE-2025-54236** (aka **SessionReaper**), an authentication/session management flaw that allows attackers to bypass login controls by **reusing improperly invalidated session tokens**. Reporting based on an **Oasis Security** investigation described large-scale scanning that identified **1,000+ exposed/vulnerable Magento Commerce APIs** and confirmed compromises of **200+ websites** (with one count citing **216 victim sites**), indicating broad weaponization by multiple actors across regions. After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve **root-level control** of affected Linux servers, enabling follow-on actions such as deploying **web shells** for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on **eSkimming/Magecart** activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of **550** previously compromised sites found **18%** still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
Mar 21, 2026
Critical Adobe Commerce Session Hijack Flaw Added to KEV After Active Exploitation
Adobe released an out-of-band fix for **CVE-2025-54236**, a critical improper input validation flaw in **Adobe Commerce**, **Adobe Commerce B2B**, and **Magento Open Source** that allows unauthenticated attackers to take over user sessions through vulnerable session-handling and Web API components. The bug, dubbed **"SessionReaper"** by Sansec, carries a reported **CVSS 9.1** rating and can lead to account hijacking, exposure of customer data, fraudulent orders, administrative access, and in some scenarios potentially remote code execution. Affected releases span multiple 2.4.x branches, including versions from **2.4.4 through 2.4.7** and other listed builds and earlier releases. Security guidance escalated after reports said the flaw was being actively exploited in the wild and added to **CISA's Known Exploited Vulnerabilities** catalog. Adobe published remediation details in **APSB25-88** and shipped patched versions, while defenders were urged to apply the vendor fix immediately, verify patch status, review logs for anomalous session activity, tighten administrative access, and increase **WAF**, API, and **SIEM** monitoring. Advisories also warned that leaked hotfix details and unofficial fixes could accelerate attacker weaponization or create additional risk.
May 16, 2026