A dangerous wave of attacks exploiting CVE-2025-54236, dubbed “SessionReaper,” in Magento e-commerce platforms.
This vulnerability lets attackers bypass authentication by reusing invalid session tokens, paving the way for session hijacking and full server takeovers.
Researchers uncovered multiple intrusion campaigns hitting Magento sites worldwide, with over 200 stores suffering root-level compromises.
In the most alarming incident, threat actors scanned and targeted 1,460 vulnerable Magento Commerce APIs.
Attackers listed these in a file called “success_api_2025.txt,” marking them for exploitation. From this pool, they fully breached 216 websites.
Each compromised site yielded files mimicking /etc/passwd listings, revealing user accounts and confirming root access. These leaks, shown in Oasis Security’s figures, prove attackers gained god-like control over servers.
The campaign relied on active command-and-control (C2) infrastructure at IP 93.152.230.161, hosted in Finland.
This setup orchestrated mass scans and exploits, turning vulnerable APIs into entry points. Oasis noted the aggressive scale: attackers didn’t just probe they methodically rooted systems, likely deploying rootkits for persistence.
Separate Webshell Attacks Hit Canada and Japan
Distinct operations targeted Magento sites in Canada and Japan, using the same CVE-2025-54236 flaw. Here, attackers uploaded web shells for ongoing access.
C2 traffic flowed through IP 115.42.60.163 in Hong Kong. Logs in files like “404_key.txt” and “key.txt” detail victim URLs, shell paths, and control keys.
Evidence from these logs shows successful uploads across multiple sites. For instance, structured entries list exact deployment paths, allowing remote code execution.
Figures from Oasis highlight Japan and Canada as hotspots, with shells placed at attacker-chosen locations on victim servers. This setup ensures persistent backdoors even after initial exploits.
Oasis stresses these incidents appear independent, involving different actors. Yet all exploit SessionReaper’s core weakness: poor session token invalidation in Magento.
Attackers capture tokens during legit sessions, replay them to impersonate admins, and escalate privileges.
CVE Details and Impact Table
CVE-2025-54236 affects Magento Commerce editions before patches. It scores high on CVSS due to its authentication bypass chain leading to RCE.
| Detail | Information |
|---|---|
| CVE ID | CVE-2025-54236 (SessionReaper) |
| Affected Software | Magento Commerce (unpatched) |
| Vulnerability Type | Authentication Bypass, Session Hijacking |
| Exploitation Impact | Root access, web shells, data theft |
| Victims Identified | 216 rooted sites + Canada/Japan webshells |
| C2 IPs | 93.152.230.161 (Finland), 115.42.60.163 (HK) |
This table summarizes the flaw’s scope. Over 1,460 exposed APIs signal broader risk for unpatched stores.
Magento powers thousands of online shops, making it a prime target. SessionReaper joins a string of e-commerce vulns, like past POODLE-style flaws. Attackers favor it for stealth: no noisy brute-force, just token reuse.
Oasis discovered these via threat hunting, analyzing leaked files and logs. The /etc/passwd excerpts expose server internals, aiding lateral movement or ransomware prep.
In rooted sites, rootkits likely hide activities, stealing customer data or injecting malware.
Regions like North America, Europe, and Asia-Pacific report hits, with global scans amplifying spread.
Magento users must patch immediately. Adobe issued fixes; apply via composer updates. Scan for IOCs:
- Monitor for C2 IPs: 93.152.230.161, 115.42.60.163.
- Check logs for anomalous session reuse.
- Harden sessions: enforce strict invalidation, token binding.
- Use WAF rules blocking CVE-2025-54236 patterns.
- Audit APIs; limit exposure.
This rampage underscores Magento’s patching urgency. With 200+ roots confirmed, unmitigated sites face imminent threats. Oasis urges vigilance as exploits evolve.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.