Active Attack Exploits Critical Adobe Commerce, Magento Flaw
▼ Summary
– Attackers are actively exploiting CVE-2025-54236, a critical vulnerability in Adobe Commerce and Magento Open Source, with over 250 attempts blocked on Wednesday.
– The vulnerability, known as SessionReaper, allows attackers to take over customer accounts and can enable unauthenticated remote code execution under certain conditions.
– It affects multiple versions of Adobe Commerce, Magento Open Source, and Adobe Commerce B2B, with a patch released by Adobe on September 9, 2025.
– Researchers warn that mass exploitation is expected within 48 hours due to public exploit details, and only 38% of online Magento stores are currently patched.
– Attack payloads include PHP webshells or phpinfo probes, and administrators are urged to deploy the patch immediately and scan for signs of compromise.
Security researchers at Sansec have identified active exploitation campaigns targeting a severe vulnerability in Adobe Commerce and Magento Open Source platforms. This critical flaw, tracked as CVE-2025-54236 and dubbed SessionReaper, enables attackers to hijack customer accounts and potentially execute remote code. On a single day this week, the security firm blocked more than 250 separate attack attempts against various online stores, with expectations that this aggressive activity will only intensify.
The vulnerability stems from improper input validation and impacts a wide range of software versions. For Adobe Commerce and Magento Open Source, affected releases include 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier. The Adobe Commerce B2B editions from versions 1.5.3-alpha2 and earlier down to 1.3.3-p15 are also vulnerable. The issue was originally discovered and reported by a researcher known as Blaklis. Adobe issued an official hotfix on September 9, 2025, following an accidental leak of information about the flaw the prior week. At that time, no active exploitation had been observed in the wild.
Following a detailed technical analysis of the patch by Assetnote/Searchlight Cyber researcher Tomais Williamson, the true severity of SessionReaper became clearer. While Adobe categorized it as a security feature bypass, the analysis reveals that under specific conditions, an unauthenticated attacker can achieve remote code execution. Systems utilizing file-based session storage are particularly susceptible to straightforward remote code execution. Even instances relying on other session storage methods, like Redis, may still be vulnerable to attack.
With the technical details now publicly available and active attacks confirmed, Sansec anticipates widespread exploitation to occur within the next two days. The high-impact nature of this vulnerability makes it a prime target for malicious actors, and the publication of a technical write-up typically triggers the rapid development of automated scanning and exploitation tools. Sansec has provided a list of IP addresses linked to the ongoing exploit attempts. The observed attack payloads have included PHP webshells and phpinfo probes, which are used to gather system configuration details.
A concerning statistic reveals that only 38 percent of online Magento stores have applied the necessary patch. This leaves a vast majority of sites exposed and provides attackers with a large pool of potential victims. Site administrators are urged to take immediate action by deploying the available patch or upgrading to the latest secure version of Adobe Commerce or Magento Open Source. Additionally, they should conduct thorough scans of their systems for any indicators of a security breach.
(Source: HelpNet Security)
