Adobe Commerce and Magento Open Source Vulnerability Exploitation - “SessionReaper” (CVE-2025-54236)

Global - October 2025

Overview: A critical vulnerability identified as CVE-2025-54236, nicknamed “SessionReaper,” is being actively exploited against Adobe Commerce and Magento Open Source platforms. The flaw, rated as critical with a CVSS score above 9.0, arises from improper input validation within the Commerce REST API. This vulnerability allows attackers to hijack user sessions and, in some configurations, execute arbitrary code remotely.

Technical Details: The vulnerability stems from how the REST API handles session data. By sending crafted API requests, attackers can manipulate or create unauthorized sessions without authentication. In environments using file-based, Redis, or database-backed session storage, this can escalate to remote code execution (RCE), allowing full system compromise. Exploits have been observed that lead to PHP webshell uploads and privilege escalation on unpatched servers.

Exploitation in the Wild: Security researchers and incident response teams have detected widespread scanning and exploitation attempts across multiple Magento sites. Hundreds of exploitation events and dozens of confirmed compromises have been recorded globally. Attackers have used automated bots to identify vulnerable endpoints and deploy malicious payloads soon after disclosure of the vulnerability.

Observed Attack Patterns: Cybercriminals exploiting “SessionReaper” are focusing on session hijacking, webshell deployment, data theft, and manipulation of e-commerce operations. Some attacks aim to steal customer and payment information, modify order data, or create administrative backdoors for future access. Malicious traffic has been traced to multiple IP clusters associated with known exploit frameworks.

Mitigation Recommendations:

• Immediately apply the latest Adobe Commerce and Magento Open Source security updates released for CVE-2025-54236.
• If patching is delayed, implement Web Application Firewall (WAF) rules to block suspicious REST API requests.
• Inspect web directories for newly added or modified PHP files, especially within media, var, pub, or vendor folders.
• Rotate all administrator and customer session tokens and clear session storage to prevent re-use by attackers.
• Conduct a full malware scan and review access logs for irregular API activity or unknown administrator actions.

Indicators of Compromise (IoCs):

• Unexpected customer session persistence or unauthorized access without login.
• New or altered PHP files in webroot directories with obfuscated code.
• Unusual POST requests targeting REST API endpoints with large or nested payloads.
• Outbound network connections from the webserver to suspicious IP addresses.
• Multiple failed or unusual logins from identical IPs or non-standard user agents.

Response and Recovery: Administrators should isolate compromised systems, patch immediately, remove malicious scripts, and rotate all access credentials. Perform a detailed forensic review of web, database, and Redis logs. Notify customers and partners if any personal or payment data exposure is suspected, and coordinate with relevant cybersecurity authorities if large-scale compromise is confirmed.

Conclusion: The “SessionReaper” vulnerability represents a severe risk to online commerce platforms due to its potential for remote code execution and account hijacking. Rapid patching and thorough system auditing are essential to minimize damage. All Adobe Commerce and Magento Open Source users are strongly advised to update immediately, enforce multi-layered protection, and maintain constant monitoring of REST API activity.