Hackers have begun actively concentrating on a crucial distant code execution flaw in Adobe’s Magento e-commerce platform, placing 1000’s of on-line shops at speedy threat simply six weeks after Adobe issued an emergency patch.
Often called SessionReaper and tracked as CVE-2025-54236, the vulnerability permits unauthenticated attackers to hijack buyer classes and doubtlessly execute arbitrary code, resulting in knowledge breaches and retailer compromises.
Safety agency Sansec reported blocking over 250 exploitation makes an attempt on October 22, 2025, with assaults originating from a number of IP addresses worldwide.
Adobe Magento RCE Vulnerability Exploited
SessionReaper stems from an improper enter validation problem in Adobe Commerce and Magento Open Supply variations, together with 2.4.9-alpha2 and earlier, affecting the Commerce REST API.
Found by unbiased researcher Blaklis and patched by Adobe on September 9, 2025, the flaw permits attackers to add malicious information disguised as session knowledge through the /buyer/address_file/add endpoint, bypassing authentication.
This nested deserialization bug can result in full distant code execution, particularly on methods utilizing file-based session storage, although Redis or database-backed setups can also be susceptible.
An in depth technical breakdown launched by Assetnote researchers on October 21, 2025, included proof-of-concept code demonstrating the exploit, successfully closing the window for undetected patching.
Sansec’s forensics workforce likened SessionReaper’s severity score of 9.1 on the CVSS scale to previous Magento threats like CosmicSting (CVE-2024-34102) in 2024, TrojanOrder (CVE-2022-24086) in 2022, and the notorious Shoplift vulnerability in 2015, every leading to 1000’s of hacked shops shortly after disclosure.
With exploit particulars now public, consultants predict widespread automated assaults inside 48 hours, fueled by scanning instruments that thrive on such high-impact flaws, Sansec stated.
Regardless of Adobe’s pressing advisory and hotfix availability, adoption stays alarmingly low. Sansec’s monitoring exhibits solely 38% of Magento shops have utilized protections six weeks post-patch, leaving 62% or three in 5 uncovered to this crucial menace.
Preliminary experiences from September indicated even fewer than one in three shops had been secured, highlighting persistent delays in e-commerce safety updates that expose delicate buyer knowledge like cost particulars to theft.
This vulnerability’s broad affect on international on-line retailers underscores the urgency, as unpatched websites turn out to be prime targets for credential stuffing, malware injection, and provide chain disruptions.
Mitigations
Retailer house owners should act swiftly to mitigate dangers. Adobe recommends deploying the official patch from their repository or upgrading to the newest safe launch, with detailed directions of their developer information.
For speedy protection with out patching, activating an internet utility firewall (WAF) is essential; Sansec Protect, as an illustration, has blocked SessionReaper since discovery and provides a free month through coupon code SESSIONREAPER.
Noticed exploits hint again to IPs corresponding to 34.227.25.4, 44.212.43.34, 54.205.171.35, 155.117.84.134, and 159.89.12.166, delivering payloads that probe server configurations or set up backdoors.
Sansec continues real-time monitoring, urging retailers to observe for related exercise and comply with their reside assault dashboard for updates.
As exploitation ramps up, the e-commerce sector faces a possible wave of breaches paying homage to historic Magento incidents.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
