Hackers are actively exploiting the vital SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (previously Magento) platforms, with tons of of makes an attempt recorded.
The exercise was noticed by e-commerce security agency Sansec, whose researchers beforehand described SessionReaper as some of the extreme security bugs within the historical past of the product.
Adobe warned about CVE-2025-54236 on September 8, saying that it’s an improper enter validation vulnerability that impacts Commerce variations 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 (and earlier).
An attacker efficiently exploiting the flaw can take management of account periods with none person interplay.
“A possible attacker might take over buyer accounts in Adobe Commerce by way of the Commerce REST API,” Adobe explains.
Sansec beforehand acknowledged that profitable exploitation probably relies on storing session information on the file system, the default configuration utilized by most shops, and {that a} leaked hotfix from the seller might present clues on how it may be leveraged..
Roughly six weeks after the emergency patch for SessionReaper grew to become out there, Sansec is confirming energetic exploitation within the wild.
“Six weeks after Adobe’s emergency patch for SessionReaper (CVE-2025-54236), the vulnerability has entered energetic exploitation,” reads Sansec’s bulletin.
“Sansec Defend detected and blocked the primary real-world assaults right this moment, which is unhealthy information for the hundreds of shops that stay unpatched,” the researchers mentioned.
Simply right this moment, Sansec blocked greater than 250 SessionReaper exploitation makes an attempt concentrating on a number of shops, a lot of the assaults originating from 5 IP addresses:
- 34.227.25.4
- 44.212.43.34
- 54.205.171.35
- 155.117.84.134
- 159.89.12.166
The assaults thus far included PHP webshells or phpinfo probes that examine configuration settings and search for predefined variables on the system.
Additionally right this moment, researchers at Searchlight Cyber revealed an in depth technical evaluation of CVE-2025-54236, which might result in a rise in exploitation makes an attempt.
In response to Sansec, 62% of the Magento shops on-line have but to put in Adobe’s security replace and stay susceptible to SessionReaper assaults.
The researchers observe that ten days after the repair grew to become out there, patch exercise was so gradual that just one in three web sites put in the updates. At the moment, 3 in 5 shops are susceptible.
Web site directors are strongly suggested to use the patch or the beneficial mitigations from Adobe as quickly as potential.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.
