The flaw, tracked as CVE-2025-54236 and dubbed SessionReaper, enables remote code execution and customer account takeover on thousands of online stores.
| CVE ID | Vulnerability Name | Affected Products | Type | CVSS 3.1 |
|---|---|---|---|---|
| CVE-2025-54236 | SessionReaper | Adobe Commerce & Magento (all versions) | Unauthenticated RCE, Account Takeover | 9.1 Critical |
Security researchers at Sansec detected the first mass attacks on October 22, 2025, nearly two months after Adobe released an emergency patch.
At the time of discovery, less than 40 percent of affected stores had deployed protective fixes.
SessionReaper combines a malicious session with a nested deserialization bug in Magento’s REST API to grant attackers complete control over vulnerable storefronts.
Exploits arrive via the /customer/address_file/upload endpoint, where attackers upload PHP backdoors disguised as fake session files.
This approach bypasses authentication requirements entirely, allowing any internet-connected attacker to compromise unpatched systems without valid credentials.
Magento administrators using file-based session storage face the highest risk, though organizations relying on Redis or database-backed sessions should not assume they are safe.
Security researchers confirm multiple attack vectors exist, and the true scope of exploitation may be wider than currently understood.
Adobe released the SessionReaper patch on September 9 as an out-of-band emergency update, breaking its normal release schedule.
However, adoption remained dismally slow. By mid-September, fewer than one in three Magento stores had installed the fix.
This lag created a critical window for attackers to develop and deploy exploits. The situation worsened when Adobe accidentally leaked the patch code on GitHub, potentially accelerating attacker preparations.
Adding insult to injury, Adobe’s official vulnerability advisory initially downplayed the threat, describing the impact only as account takeover and omitting any mention of remote code execution, a detail security researchers later confirmed.
SessionReaper ranks among the most severe Magento vulnerabilities ever discovered, joining a notorious roster including Shoplift (2015), the Ambionics SQL injection (2019), TrojanOrder (2022), and CosmicSting (2024).
Each previous flaw resulted in thousands of compromised stores within hours or days of public disclosure.
Organizations running unpatched Magento or Adobe Commerce instances face imminent compromise.
Immediate actions include deploying the official patch from Adobe’s repository and testing thoroughly, as the fix disables internal Magento functionality that may break custom extensions.
Administrators unable to patch within 24 hours should activate a Web Application Firewall (WAF) for temporary protection only. Adobe Fastly and Sansec Shield currently block this specific attack.
For stores already patched, security researchers recommend running malware scanners to detect compromises and rotating cryptographic keys to prevent attackers from modifying CMS blocks indefinitely.
With 62 percent of stores remaining unpatched, the threat landscape continues evolving as more organizations fall victim to automated exploitation campaigns.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post Hackers Exploit Magento, Adobe Commerce RCE to Deploy Webshells appeared first on Cyber Security News.
Emily Blunt, Cillian Murphy, Millicent Simmonds, and Noah Jupe are officially reprising their roles for…
Whether you’re after a new Apple Watch Ultra or want to add a few new…
Sony's upgraded PlayStation Spectral Super Resolution (PSSR) technology is rolling out to several titles on…
There's no better time to dive into the world of immersive VR gaming. AliExpress is…
Krafton has been ordered to reinstate the former boss of Subnautica 2 studio Unknown Worlds…
Tje GeForce RTX 5080 graphics card will allow you to run all of the latest…
This website uses cookies.