Unauthenticated attackers are actively exploiting a critical vulnerability affecting Adobe Commerce and Magento platforms worldwide.
The flaw, tracked as CVE-2025-54236 and dubbed SessionReaper, enables remote code execution and customer account takeover on thousands of online stores.
| CVE ID | Vulnerability Name | Affected Products | Type | CVSS 3.1 |
| CVE-2025-54236 | SessionReaper | Adobe Commerce & Magento (all versions) | Unauthenticated RCE, Account Takeover | 9.1 Critical |
Security researchers at Sansec detected the first mass attacks on October 22, 2025, nearly two months after Adobe released an emergency patch. At the time of discovery, less than 40 percent of affected stores had deployed protective fixes.
How the Attack Works
SessionReaper combines a malicious session with a nested deserialization bug in Magento’s REST API to grant attackers complete control over vulnerable storefronts.
Exploits arrive via the /customer/address_file/upload endpoint, where attackers upload PHP backdoors disguised as fake session files.
This approach bypasses authentication requirements entirely, allowing any internet-connected attacker to compromise unpatched systems without valid credentials.
Magento administrators using file-based session storage face the highest risk, though organizations relying on Redis or database-backed sessions should not assume they are safe.
Security researchers confirm multiple attack vectors exist, and the true scope of exploitation may be wider than currently understood.
Adobe released the SessionReaper patch on September 9 as an out-of-band emergency update, breaking its normal release schedule.
However, adoption remained dismally slow. By mid-September, fewer than one in three Magento stores had installed the fix.
This lag created a critical window for attackers to develop and deploy exploits. The situation worsened when Adobe accidentally leaked the patch code on GitHub, potentially accelerating attacker preparations.
Adding insult to injury, Adobe’s official vulnerability advisory initially downplayed the threat, describing the impact only as account takeover and omitting any mention of remote code execution a detail security researchers later confirmed.
SessionReaper ranks among the most severe Magento vulnerabilities ever discovered, joining a notorious roster including Shoplift (2015), the Ambionics SQL injection (2019), TrojanOrder (2022), and CosmicSting (2024).
Each previous flaw resulted in thousands of compromised stores within hours or days of public disclosure.
Organizations running unpatched Magento or Adobe Commerce instances face imminent compromise.
Immediate actions include deploying the official patch from Adobe’s repository and testing thoroughly, as the fix disables internal Magento functionality that may break custom extensions.
Administrators unable to patch within 24 hours should activate a Web Application Firewall (WAF) for temporary protection only Adobe Fastly and Sansec Shield currently block this specific attack.
For stores already patched, security researchers recommend running malware scanners to detect compromises and rotating cryptographic keys to prevent attackers from modifying CMS blocks indefinitely.
With 62 percent of stores remaining unpatched, the threat landscape continues evolving as more organizations fall victim to automated exploitation campaigns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
