Mass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against Magento e-commerce deployments by abusing CVE-2025-54236 (aka SessionReaper), an authentication/session management flaw that allows attackers to bypass login controls by reusing improperly invalidated session tokens. Reporting based on an Oasis Security investigation described large-scale scanning that identified 1,000+ exposed/vulnerable Magento Commerce APIs and confirmed compromises of 200+ websites (with one count citing 216 victim sites), indicating broad weaponization by multiple actors across regions.
After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve root-level control of affected Linux servers, enabling follow-on actions such as deploying web shells for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on eSkimming/Magecart activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of 550 previously compromised sites found 18% still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Oasis Security disclosed active exploitation and urged immediate patching
By January 30, 2026, Oasis Security publicly reported the ongoing mass exploitation of SessionReaper and warned administrators to patch immediately and audit logs for suspicious session token activity. The disclosure highlighted the risk to customer and payment data from continued attacks.
Researchers linked campaign infrastructure to servers in Finland and Hong Kong
Oasis Security identified active command-and-control infrastructure associated with the exploitation activity, including an IP address in Finland and additional infrastructure in Hong Kong. The findings provided infrastructure indicators connected to the ongoing campaign.
Attackers deployed web shells on Magento sites in Canada and Japan
In separate incidents tied to the campaign, attackers installed web shells on compromised Magento sites in Canada and Japan to maintain persistence and execute remote commands. Investigators also observed attackers searching systems for sensitive files, including user accounts and credentials.
One attack wave compromised more than 200 Magento websites
A documented wave of the campaign resulted in root-level compromise of more than 200 websites worldwide. Attackers used the authentication bypass to take over Magento environments at scale.
SessionReaper flaw left Magento session tokens reusable after logout
The vulnerability CVE-2025-54236, dubbed "SessionReaper," affected Magento session handling by allowing improperly invalidated session tokens to be reused for authentication bypass. Successful exploitation enabled session hijacking, administrative access without passwords, and potential full system compromise.
Mass exploitation campaign targeted Magento sites worldwide in January 2026
During January 2026, multiple intrusion sets actively exploited CVE-2025-54236 against Magento e-commerce sites across several regions. Oasis Security reported hundreds of compromised stores and identified 1,460 vulnerable Magento Commerce APIs exposed to attack.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Attackers Hijacked 200+ Websites Exploiting Magento Vulnerability to Gain Root-level Access
cybersecuritynews.com
Open source"SessionReaper" Harvests Roots: Mass Exploitation Campaign Hits Over 200 Magento Sites
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Magento SessionReaper Vulnerability (CVE-2025-54236) Enables Session Hijacking and Remote Code Execution
A critical vulnerability in the Magento ecommerce platform, identified as CVE-2025-54236 and dubbed 'SessionReaper,' has been actively exploited in the wild. The flaw allows attackers to hijack user sessions and achieve unauthenticated remote code execution (RCE) on affected Magento installations. Security researchers observed a surge in exploitation attempts following the public release of a proof-of-concept (PoC) exploit, with attackers deploying web shells and conducting reconnaissance using classic PHP probes. Adobe released an emergency patch for the vulnerability, and organizations are urged to apply it immediately to mitigate risk. Magento's widespread use and history of critical vulnerabilities make this flaw particularly attractive to threat actors. Exploitation attempts have targeted over 130 hosts from multiple IP addresses within 48 hours of the PoC's publication. Web application firewalls, such as Akamai's Adaptive Security Engine, have been effective in mitigating some exploit attempts by default. The vulnerability's critical nature and active exploitation highlight the urgent need for patching and enhanced monitoring of Magento deployments.
Mar 21, 2026
Active Exploitation of SessionReaper Vulnerability in Adobe Magento
Hackers have begun actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (Magento) platforms, with security firm Sansec detecting and blocking hundreds of real-world attack attempts. The flaw, which allows attackers to take control of account sessions via the Commerce REST API, remains unpatched in approximately 62% of Magento stores, leaving thousands of e-commerce sites exposed to remote code execution and account takeover attacks. Technical analyses and proof-of-concept exploit code have been published, further increasing the risk of mass exploitation. Adobe issued an emergency patch for SessionReaper six weeks prior to the observed attacks, but patch adoption has been slow. Attackers are leveraging PHP webshells and probes to exploit the vulnerability, with most attacks originating from a handful of IP addresses. Security experts warn that the public availability of exploit details and the high impact of the flaw make rapid patching and the activation of web application firewalls critical for all affected organizations.
Mar 21, 2026
Magecart Campaign Hides Magento Card Skimmer in 1x1 SVG Images
A large Magecart campaign compromised nearly 100 Magento and Adobe Commerce stores by hiding a full credit-card skimmer inside a **1x1-pixel SVG** embedded directly in checkout page HTML. Researchers said the malware stores its payload in the SVG `onload` handler, decodes it with `atob()`, and runs it via `setTimeout`, allowing it to evade scanners that typically look for externally loaded scripts. When shoppers click checkout, the skimmer displays a convincing fake **"Secure Checkout"** overlay that captures billing and payment details before validating card numbers with the **Luhn algorithm**. The stolen data is exfiltrated as XOR-encrypted, base64-obfuscated JSON to attacker-controlled infrastructure, in some cases disguised as Facebook analytics traffic. Sansec linked the infections to exploitation of the **PolyShell** vulnerability, which affects Magento Open Source and Adobe Commerce stable version 2 deployments and can enable unauthenticated code execution and account takeover. Defenders were urged to hunt for hidden SVG tags and suspicious `onload` code, check for the `_mgx_cv` localStorage key, and block outbound traffic to the identified attacker infrastructure, including domains resolving to **`23.137.249.67`** hosted by IncogNet in the Netherlands.
Apr 10, 2026