Hackers Exploit Magento, Adobe Commerce RCE to Deploy Webshells

Unauthenticated attackers are actively exploiting a critical vulnerability affecting Adobe Commerce and Magento platforms worldwide.

The flaw, tracked as CVE-2025-54236 and dubbed SessionReaper, enables remote code execution and customer account takeover on thousands of online stores.

CVE ID	Vulnerability Name	Affected Products	Type	CVSS 3.1
CVE-2025-54236	SessionReaper	Adobe Commerce & Magento (all versions)	Unauthenticated RCE, Account Takeover	9.1 Critical

Security researchers at Sansec detected the first mass attacks on October 22, 2025, nearly two months after Adobe released an emergency patch.

At the time of discovery, less than 40 percent of affected stores had deployed protective fixes.

SessionReaper combines a malicious session with a nested deserialization bug in Magento’s REST API to grant attackers complete control over vulnerable storefronts.

Exploits arrive via the /customer/address_file/upload endpoint, where attackers upload PHP backdoors disguised as fake session files.

This approach bypasses authentication requirements entirely, allowing any internet-connected attacker to compromise unpatched systems without valid credentials.

Magento administrators using file-based session storage face the highest risk, though organizations relying on Redis or database-backed sessions should not assume they are safe.

Security researchers confirm multiple attack vectors exist, and the true scope of exploitation may be wider than currently understood.

Delayed Patch Deployment Creates Critical Window

Adobe released the SessionReaper patch on September 9 as an out-of-band emergency update, breaking its normal release schedule.

However, adoption remained dismally slow. By mid-September, fewer than one in three Magento stores had installed the fix.

This lag created a critical window for attackers to develop and deploy exploits. The situation worsened when Adobe accidentally leaked the patch code on GitHub, potentially accelerating attacker preparations.

Adding insult to injury, Adobe’s official vulnerability advisory initially downplayed the threat, describing the impact only as account takeover and omitting any mention of remote code execution, a detail security researchers later confirmed.

Urgent Mitigation Required

SessionReaper ranks among the most severe Magento vulnerabilities ever discovered, joining a notorious roster including Shoplift (2015), the Ambionics SQL injection (2019), TrojanOrder (2022), and CosmicSting (2024).

Each previous flaw resulted in thousands of compromised stores within hours or days of public disclosure.

Organizations running unpatched Magento or Adobe Commerce instances face imminent compromise.

Immediate actions include deploying the official patch from Adobe’s repository and testing thoroughly, as the fix disables internal Magento functionality that may break custom extensions.

Administrators unable to patch within 24 hours should activate a Web Application Firewall (WAF) for temporary protection only. Adobe Fastly and Sansec Shield currently block this specific attack.

For stores already patched, security researchers recommend running malware scanners to detect compromises and rotating cryptographic keys to prevent attackers from modifying CMS blocks indefinitely.

With 62 percent of stores remaining unpatched, the threat landscape continues evolving as more organizations fall victim to automated exploitation campaigns.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post Hackers Exploit Magento, Adobe Commerce RCE to Deploy Webshells appeared first on Cyber Security News.