A critical security breach has exposed multiple Magento e-commerce platforms worldwide as threat actors successfully exploited a severe authentication flaw to achieve complete system control.
The attack campaign, identified in January 2026, represents one of the most significant waves of coordinated web server compromises in recent months, affecting hundreds of online stores across different regions and industries.
The vulnerability at the center of this attack is CVE-2025-54236, also known as SessionReaper, which allows unauthorized access by reusing session tokens that were not properly invalidated by the Magento application.
These session tokens function like digital keys that verify a user’s identity.
.webp)
When Magento fails to destroy these keys after users log out, attackers can intercept and replay them to gain access as legitimate administrators, bypassing all password protections and security measures.
Oasis Security analysts identified multiple independent intrusion incidents where different threat actors exploited CVE-2025-54236 against Magento environments across various geographical regions, demonstrating widespread knowledge and weaponization of this flaw.
The research team discovered that attackers had scanned for vulnerable systems on a massive scale, identifying over 1,000 vulnerable Magento APIs and successfully compromising 200 websites with root-level administrative access.
Infection mechanism
The infection mechanism reveals how attackers systematically leveraged this vulnerability to establish complete control over victim infrastructure.
Once attackers gained initial access through session hijacking, they escalated their privileges to obtain root access, the highest level of system control on Linux servers.
This persistence tactic allowed them to deploy web shells, which are small scripts that grant attackers remote command execution capabilities for ongoing system manipulation and data theft.
Evidence shows that compromised systems contained sensitive files displaying system user accounts and credentials, indicating thorough system exploration and potential data exfiltration.
The investigation uncovered command and control infrastructure operating from Finland and Hong Kong, with separate threat actors conducting web shell deployment operations specifically targeting Magento sites in Canada and Japan.
.webp)
The attackers maintained detailed logs of compromised websites and deployed shell paths, demonstrating organized operational security and systematic targeting strategies.
Organizations running Magento must immediately patch this vulnerability and audit their server logs for suspicious session token usage.
.webp)
The widespread nature of this campaign underscores the critical importance of timely security updates and continuous monitoring of e-commerce platforms hosting valuable customer data and payment information.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
