A critical security flaw, identified as CVE-2025-54236 and dubbed SessionReaper, has been discovered in Adobe’s Magento e-commerce platform. This vulnerability allows unauthenticated attackers to hijack customer sessions and potentially execute arbitrary code, leading to data breaches and store compromises. Despite Adobe releasing an emergency patch on September 9, 2025, a significant number of online stores remain unprotected, leaving them susceptible to exploitation.
Details of the Vulnerability
SessionReaper arises from improper input validation within the Commerce REST API of Adobe Commerce and Magento Open Source versions up to 2.4.9-alpha2. Discovered by independent researcher Blaklis, the flaw enables attackers to upload malicious files disguised as session data via the `/customer/address_file/upload` endpoint, effectively bypassing authentication mechanisms. This nested deserialization bug can lead to full remote code execution, particularly on systems utilizing file-based session storage. However, setups using Redis or database-backed sessions may also be vulnerable.
Active Exploitation and Impact
Security firm Sansec reported blocking over 250 exploitation attempts on October 22, 2025, with attacks originating from multiple IP addresses worldwide. The severity of SessionReaper, rated 9.1 on the CVSS scale, is comparable to previous Magento vulnerabilities such as CosmicSting (CVE-2024-34102) in 2024, TrojanOrder (CVE-2022-24086) in 2022, and the infamous Shoplift vulnerability in 2015. Each of these past vulnerabilities led to thousands of compromised stores shortly after disclosure.
With exploit details now public, experts predict widespread automated attacks within 48 hours, driven by scanning tools that exploit such high-impact flaws. Despite Adobe’s urgent advisory and the availability of a hotfix, adoption remains alarmingly low. Sansec’s monitoring indicates that only 38% of Magento stores have applied the necessary protections six weeks after the patch’s release, leaving 62%—or three in five stores—exposed to this critical threat.
Mitigation Measures
Store owners are urged to act swiftly to mitigate risks associated with SessionReaper. Adobe recommends deploying the official patch from their repository or upgrading to the latest secure release, with detailed instructions available in their developer guide. For immediate defense without patching, activating a web application firewall (WAF) is crucial. Sansec Shield, for instance, has been blocking SessionReaper since its discovery and offers a free month of service via the coupon code SESSIONREAPER.
Observed exploits have been traced back to IP addresses such as 34.227.25.4, 44.212.43.34, 54.205.171.35, 155.117.84.134, and 159.89.12.166, delivering payloads that probe server configurations or install backdoors. Sansec continues real-time tracking and urges merchants to monitor for similar activity, providing updates through their live attack dashboard.
As exploitation escalates, the e-commerce sector faces a potential wave of breaches reminiscent of historical Magento incidents. Store owners must prioritize applying the necessary patches and implementing robust security measures to protect their platforms and customer data.
