Attackers are trying to exploit CVE-2025-54236, a critical vulnerability affecting Adobe Commerce and Magento Open Source, Sansec researchers have warned.
The company blocked over 250 exploitation attempts targeting multiple stores on Wednesday, and expects the attacks to continue at pace.
About CVE-2025-54236
CVE-2025-54236, aka SessionReaper, is an Improper Input Validation vulnerability that may allow attackers to take over customer accounts.
It affects Adobe Commerce and Magento Open Source versions:
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
- 2.4.4-p15 and earlier
It also impacts Adobe Commerce B2B versions:
- 1.5.3-alpha2 and earlier
- 1.5.2-p2 and earlier
- 1.4.2-p7 and earlier
- 1.3.4-p14 and earlier
- 1.3.3-p15 and earlier
The vulnerability was discovered and reported by a bug hunter who goes by Blaklis, and Adobe officially released a hotfix for it on September 9, 2025, after it had been accidentally leaked the week before.
At the time, there was no evidence of in-the-wild exploitation.
SessionReaper exploitation attempts
On Wednesday, Assetnote/Searchlight Cyber researcher Tomais Williamson published a technical deep-dive into the vulnerability after reverse-engineering the patch, and warned that while Adobe described the issue as a “security feature bypass”, SessionReaper can allow unauthenticated remote code execution under certain conditions.
“In instances that use file-based session storage, remote code execution can be easily achieved by an unauthenticated user. Instances that do not use file-based session storage (such as Redis-backed instances) may also be vulnerable,” they noted.
“With exploit details now public and active attacks already observed, we expect mass exploitation within the next 48 hours,” Sansec researchers warned.
“Automated scanning and exploitation tools typically emerge quickly after technical writeups are published, and SessionReaper’s high impact makes it an attractive target for attackers.”
Sansec shared a list of IP addresses from which the exploit attempts are originating, and noted that the “attack payloads so far contained PHP webshells or phpinfo probes [i.e., requests for information about the PHP version running, enabled extensions and modules, predefined variables, etc.].”
They also warned that only 38% of online Magento stores have been patched so far, which means that attackers have a wide open field for attack.
They advised site administrators to deploy the patch or upgrade to the latest Adobe Commerce / Magento Open Source security release immediately, and to scan for signs of compromise.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
