A critical flaw in Adobe Commerce (formerly Magento), known as SessionReaper and tracked as CVE-2025-54236, has put online retailers at immediate risk. The vulnerability allows attackers to hijack user sessions and, in some cases, execute remote code on e-commerce servers.
With thousands of stores worldwide running Adobe Commerce, this flaw is a prime target for cybercriminals, especially ahead of the holiday shopping season.
What is SessionReaper?
SessionReaper arises from improper input validation in Adobe Commerce’s authentication mechanisms. Attackers can:
- Impersonate legitimate users or admins.
- Take over customer accounts or admin panels.
- Execute unauthenticated remote code, potentially uploading malicious scripts or backdoors.
Affected systems include multiple versions of Adobe Commerce and Magento Open Source, some of which may not yet have received patches. With a CVSS score of 9.8, the vulnerability is rated critical, impacting confidentiality, integrity, and availability.
Timeline of the Threat
- September 9, 2025: Adobe issues an emergency security bulletin and patches.
- October 22, 2025: Security researchers at Sansec release a public proof-of-concept (PoC) exploit.
- Following the PoC release, attackers launched real-world campaigns targeting vulnerable stores, affecting over 250 e-commerce sites overnight.
How the Vulnerability Works
The flaw targets weak session input validation in Adobe Commerce:
- Attackers send crafted requests to manipulate session data.
- This can allow account impersonation or admin panel takeover.
- Advanced PoCs demonstrate remote code execution (RCE), which could:
- Upload web shells to servers.
- Steal payment and personal data.
- Install persistent backdoors for long-term access.
The attack requires only a single crafted request, making it highly dangerous for unpatched systems.
Observed Exploitation
Security teams at Akamai detected exploitation waves immediately after the PoC release:
- 300+ attack probes in just 48 hours.
- Targets included 130+ unique hosts from 11 IP addresses.
- Payloads included:
- PHP web shells for persistent server access.
- Malicious scripts for reconnaissance and injection testing.
- phpinfo and echo commands to map server environments.
Akamai’s Adaptive Security Engine (part of App & API Protector) blocked these attacks automatically, neutralizing threats such as web shell uploads without customer intervention.
Recommended Mitigations
While WAFs like Akamai App & API Protector offer protection, the most reliable defense remains applying Adobe’s patches. E-commerce operators should:
- Update Adobe Commerce/Magento to the latest patched versions.
- Scan servers and applications for signs of exploitation.
- Enable robust input validation to prevent session manipulation.
- Use web application firewalls (WAFs) to block known attack patterns proactively.
Failing to patch leaves stores vulnerable to ransomware, data theft, or long-term backdoors, especially during high-traffic periods.
Key Takeaways
- SessionReaper (CVE-2025-54236) is a critical Adobe Commerce/Magento flaw.
- It enables session hijacking and remote code execution on unpatched systems.
- Public PoCs have triggered real-world attacks, making patching urgent.
- Combining timely patches, WAFs, and strong input validation provides the best protection.
