Six weeks after Adobe shipped an emergency fix, attackers have begun weaponizing SessionReaper — and most Magento stores still stand exposed.
Security firm Sansec’s forensics team said it blocked hundreds of real-world exploitation attempts of the SessionReaper bug as proof-of-concept code and a technical write-up circulated publicly. For those who still have not patched this bug, Its a critical warning that widespread abuse would follow.
What is SessionReaper Bug
SessionReaper (CVE-2025-54236) is an unauthenticated, remote-code-execution flaw in Adobe Commerce / Magento that stems from nested deserialization in admin-facing functionality. Assetnote published the technical analysis that demonstrated how an attacker could craft requests to trigger object deserialization and run arbitrary PHP — a straight path to web shells and full shop takeover. With exploit details now public, Sansec researchers said the window for safe patching had effectively closed.
Sansec researchers reported that only 38% of Magento stores had applied Adobe’s patch six weeks after disclosure, leaving roughly 62% vulnerable to automated scans and commodity exploit tooling. They also confirmed of blocking more than 250 exploitation attempts in a single day and observed initial payloads that delivered PHP webshells or phpinfo probes. The company published an initial set of attacker source IPs to help defenders triage incoming traffic.
Also read: Adobe Issues Urgent Patch for ‘SessionReaper’ Vulnerability in Commerce and Magento
Attackers Exploited Familiar eCommerce Playbook
Researchers said the flow of the attack is not novel and has been observed earlier. The attackers scanned the web for reachable admin consoles, sent crafted HTTP requests to the vulnerable endpoint and dropped webshells to persist and pivot.
Sansec compared SessionReaper’s potential impact to previous mass-compromise flaws such as Shoplift (2015) and CosmicSting (2024), both of which spawned waves of site-wide infections and payment-card skimming campaigns. With automated exploit scanners and proof-of-concept code circulating, researchers expect mass compromise within hours of public analysis.
The defensive checklist that the researchers suggested remains simple but urgent. They urged store owners to deploy the vendor patch or upgrade to the latest security release immediately; to activate a web application firewall (WAF) if they cannot patch right away; and to run a thorough compromise scan for indicators such as unexpected PHP webshells, new files in webroot and suspicious scheduled tasks. They also advised searching logs for the IPs it observed to identify probing activity.
The warning held particular weight because of the way ecommerce platforms amplify risk. Magento and Adobe Commerce sit at the intersection of payments, customer PII and third-party plugins. A single compromised admin console can let an attacker replace checkout pages, inject payment skimmers, and harvest credit-card data at scale. Attackers historically monetized these compromises rapidly, either by installing Magecart skimmers or building backend access for long-running fraud operations. Sansec’s timeline explicitly linked SessionReaper to that same class of high-impact supply-chain abuse.
The SessionReaper episode offered two broader lessons. First, critical-path fixes for internet-facing infrastructure must move faster than the adversary’s ability to automate; Adobe’s patch arrived, but adoption lagged dangerously. Second, ecommerce operators needed layered controls. Patching alone would stop exploitation, but WAFs, hardened deployment practices, privilege separation and continuous file-integrity monitoring buy time when immediate patching proves difficult.
