A critical vulnerability in the Adobe Commerce and Magento Open Source platforms, dubbed SessionReaper and tracked as CVE-2025-54236, is being actively exploited in the wild. The flaw enables unauthenticated attackers to hijack user sessions and, in certain configurations, deploy webshells to gain full remote code execution on vulnerable e-commerce websites.
Vulnerability Enables Pre-Auth Account Takeover and Remote Code Execution
SessionReaper stems from an improper input-validation defect in the ServiceInputProcessor component of Magento’s REST API. The flaw permits an attacker to craft specially formed requests that manipulate session objects or uploaded data, enabling complete account takeover and, if the site uses file-based session storage, remote code execution. With a CVSS score of 9.1, this vulnerability is among the most severe in the platform’s history.
Experts observed that attackers first compromise customer sessions and then escalate privileges to administrative roles. The underlying vulnerability maps directly to MITRE ATT&CK techniques including T1190 (Exploit Public-Facing Application), T1071.001 (Web Protocols – C2 over WebSocket/HTTP), and T1505.003 (Web Shell). This makes the attack chain unusually efficient, from initial breach to full system control.
Exploitation Waves Surge as Patch Adoption Remains Low
Following Adobe’s emergency update in September 2025, active exploitation was reported immediately. Security firm Sansec recorded over 250 exploit attempts within a single 24-hour window. The attacks were tracked back to at least five IP addresses, which may indicate multiple threat actors or a single actor using obfuscated infrastructure.
Alarmingly, telemetry shows that 62% of Magento stores remain unpatched several weeks after the fix was published. Attackers are dropping PHP webshells via /customer/address_file/upload paths or probing phpinfo() endpoints to harvest system information—steps which facilitate rapid persistence and lateral movement once a site is compromised.
E-Commerce Platforms Face High Stakes: Customer Data, Payments and Brand Risk
Retailers operating on Adobe Commerce or Magento Open Source host tens of thousands of websites worldwide. The SessionReaper exploitation risk extends beyond site defacement or customer account takeover; compromised stores have exposed payment card data, customer profiles and supply-chain details in prior incidents.
Attackers exploit such platforms for multiple monetisation methods: injection of card-skimming JavaScript (Magecart attacks), leverage of trust-based vendor access for broader supply-chain intrusion, and ransomware payloads on previously unrecognized infrastructure. For e-commerce operators, the consequences span regulatory fines, customer attrition and brand damage.
Immediate Defence Actions for E-Commerce Operators
Operators of Adobe Commerce or Magento Open Source must move quickly:
- Apply Adobe’s hotfix or upgrade to a patched build listed in APSB25-88.
- Reconfigure session storage: avoid file-based storage and migrate to database or memory-backed mechanisms.
- Audit webroot directories for unexpected PHP files, especially webshells, and monitor for repeated POST requests to critical endpoints.
- Deploy or strengthen Web Application Firewalls (WAFs) to detect anomalous API calls and session hijacking attempts.
- Monitor outbound sessions from web servers for WebSocket or long-lived HTTP/2 connections that may indicate C2 channels.
- Update all extensions and modules, especially those handling file uploads or REST API interactions, and ensure only trusted vendors are used.
SessionReaper highlights a recurring problem for something large and widely deployed: when high-impact vulnerabilities emerge in essential platforms, patch adoption delays create a large exploitable population. The fact that exploitation began almost immediately after the patch emphasises the urgency of rapid deployment and active threat-hunting readiness.
For security executives, the story reinforces the concept that application infrastructure is a critical front line, not just networking or endpoint defence. Incident response processes must assume breach of core services and be ready to identify and remediate post-exploit persistence swiftly.
