A critical new vulnerability is wreaking havoc across the global e-commerce ecosystem. Tracked as CVE-2025-54236 and dubbed SessionReaper, this flaw affects Adobe Commerce and Magento Open Source platforms, allowing attackers to bypass security features and seize control of customer accounts through the Commerce REST API. Despite Adobe releasing emergency hotfixes on September 9, an alarming 62% of Magento sites remain unpatched, leaving tens of thousands of online stores exposed to active exploitation.
Security firm Sansec first observed a spike in real-world attacks involving PHP webshell payloads and phpinfo probes used for reconnaissance and persistence. The attacks began almost immediately after the vulnerability was disclosed, accelerated by a premature leak of Adobe’s patch that gave adversaries a head start in developing exploits. Now that exploit code is public, experts warn of an impending surge in automated attacks targeting unpatched systems.
Adobe has officially confirmed that the SessionReaper vulnerability is being exploited in the wild, transforming a technical flaw into a full-blown operational crisis for online retailers. Threat actors are using the exploit to hijack customer sessions, manipulate transactions, and exfiltrate sensitive data — threatening both consumer trust and brand integrity.
According to Sansec’s telemetry, more than half of all Magento sites remain vulnerable, creating a massive attack surface for opportunistic cybercriminals. The exploit’s simplicity, combined with the widespread use of outdated Commerce installations, means mass compromise events are likely imminent.
Cybersecurity professionals emphasize that immediate mitigation is non-negotiable. Administrators must apply Adobe’s September 9 hotfix for all affected versions (2.4.4 through 2.4.7) and monitor for unauthorized API activity or unexpected PHP file uploads. With SessionReaper already tearing through unpatched systems, time is the most critical defense.
#AdobeCommerce #Magento #SessionReaper #CVE202554236 #AdobeVulnerability #EcommerceSecurity #Sansec #CyberAttack #Webshell #AccountTakeover #ExploitInTheWild #CVEAlert #PatchNow #RESTAPI #AdobeHotfix #CyberThreats #MagentoSecurity
