SessionReaper flaw in Adobe Magento actively exploited
Take action: If you are using Adobe Commerce/Magento this advisory is URGENT AND IMPORTANT - Patch your Commerce/Magento IMMEDIATELY. Because your e-commerce platform is being hacked.
Learn More
Cybercriminals are actively exploiting a critical vulnerability in Adobe Commerce (formerly known as Magento) platforms.
The exploited vulnerability is tracked as CVE-2025-54236 (CVSS score 9.1), dubbed "SessionReaper". It's an improper input validation flaw that snables attackers to hijack customer account sessions. The vulnerability impacts a wide range of Adobe Commerce versions, including 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and all earlier versions.
Security researchers are detecting hundreds of exploitation attempts targeting unpatched e-commerce stores worldwide. The flaw, which experts have described as one of the most severe security bugs in the product's history, threatens the integrity of thousands of online retail operations and their customers' sensitive data.
Adobe first disclosed CVE-2025-54236 on September 8, 2025, warning that the vulnerability could allow potential attackers to take complete control of customer accounts through the Commerce REST API.
E-commerce security firm Sansec confirmed that the vulnerability has entered the active exploitation phase in the wild. In a single day, Sansec's systems blocked more than 250 SessionReaper exploitation attempts targeting multiple e-commerce platforms.
The exploitation attempts observed by Sansec researchers included deployment of PHP webshells—malicious scripts that provide attackers with remote access and control over compromised systems—as well as phpinfo probes designed to enumerate server configuration settings and identify predefined variables that could facilitate further exploitation.
The patch adoption rate among Adobe Commerce installations has been alarmingly slow. According to Sansec's telemetry data, 62% of Magento stores currently online have not yet installed Adobe's security update and remain vulnerable to SessionReaper attacks.
Website administrators and e-commerce operators running Adobe Commerce or Magento platforms should apply the security patch immediately or implement the recommended mitigations provided by Adobe as soon as possible.
