Hackers have begun actively targeting a critical remote code execution flaw in Adobe’s Magento e-commerce platform, putting thousands of online stores at immediate risk just six weeks after Adobe issued an emergency patch.
Known as SessionReaper and tracked as CVE-2025-54236, the vulnerability allows unauthenticated attackers to hijack customer sessions and potentially execute arbitrary code, leading to data breaches and store compromises.
Security firm Sansec reported blocking over 250 exploitation attempts on October 22, 2025, with attacks originating from multiple IP addresses worldwide.
Adobe Magento RCE Vulnerability Exploited
SessionReaper stems from an improper input validation issue in Adobe Commerce and Magento Open Source versions, including 2.4.9-alpha2 and earlier, affecting the Commerce REST API.
Discovered by independent researcher Blaklis and patched by Adobe on September 9, 2025, the flaw enables attackers to upload malicious files disguised as session data via the /customer/address_file/upload endpoint, bypassing authentication.
This nested deserialization bug can lead to full remote code execution, especially on systems using file-based session storage, though Redis or database-backed setups may also be vulnerable.
A detailed technical breakdown released by Assetnote researchers on October 21, 2025, included proof-of-concept code demonstrating the exploit, effectively closing the window for undetected patching.
Sansec’s forensics team likened SessionReaper’s severity rating of 9.1 on the CVSS scale to past Magento threats like CosmicSting (CVE-2024-34102) in 2024, TrojanOrder (CVE-2022-24086) in 2022, and the infamous Shoplift vulnerability in 2015, each resulting in thousands of hacked stores shortly after disclosure.
With exploit details now public, experts predict widespread automated attacks within 48 hours, fueled by scanning tools that thrive on such high-impact flaws, Sansec said.
Despite Adobe’s urgent advisory and hotfix availability, adoption remains alarmingly low. Sansec’s monitoring shows only 38% of Magento stores have applied protections six weeks post-patch, leaving 62% or three in five exposed to this critical threat.
Initial reports from September indicated even fewer than one in three stores were secured, highlighting persistent delays in e-commerce security updates that expose sensitive customer data like payment details to theft.
This vulnerability’s broad impact on global online retailers underscores the urgency, as unpatched sites become prime targets for credential stuffing, malware injection, and supply chain disruptions.
Mitigations
Store owners must act swiftly to mitigate risks. Adobe recommends deploying the official patch from their repository or upgrading to the latest secure release, with detailed instructions in their developer guide.
For immediate defense without patching, activating a web application firewall (WAF) is crucial; Sansec Shield, for instance, has blocked SessionReaper since discovery and offers a free month via coupon code SESSIONREAPER.
Observed exploits trace back to IPs such as 34.227.25.4, 44.212.43.34, 54.205.171.35, 155.117.84.134, and 159.89.12.166, delivering payloads that probe server configurations or install backdoors.
Sansec continues real-time tracking, urging merchants to monitor for similar activity and follow their live attack dashboard for updates.
As exploitation ramps up, the e-commerce sector faces a potential wave of breaches reminiscent of historical Magento incidents.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
