You are currently viewing Urgent: Critical SessionTakeover Flaw (CVE-2025-54236) in Adobe Commerce & Magento

Urgent: Critical SessionTakeover Flaw (CVE-2025-54236) in Adobe Commerce & Magento

  • Post author:
  • Reading time:3 mins read

A critical vulnerability, CVE-2025-54236, dubbed SessionReaper, is currently under active exploitation in Adobe Commerce and Magento Open-Source platforms. The flaw arises from improper input validation and can lead to customer account takeover and remote code execution. Security firm Sansec has reported blocking over 250 exploitation attempts, underscoring the urgency for administrators to apply patches or mitigations immediately.

Vulnerability Details

SessionReaper (CVE-2025-54236) is a critical improper input validation vulnerability in the Commerce REST API.

  • Exploitation Method:
    Attackers can upload malicious files disguised as session data via the /customer/address_file/upload endpoint, bypassing authentication controls.
  • Resulting Risk:
    This creates a nested deserialization vulnerability, which can lead to full remote code execution, particularly on systems using file-based session storage.

A technical analysis with proof-of-concept code was published by Assetnote researchers on October 21, 2025, further increasing the urgency for patching.

Affected Products

Adobe Commerce & Magento Open Source versions:

  • 2.4.9-alpha2 and earlier
  • 2.4.8-p2 and earlier
  • 2.4.7-p7 and earlier
  • 2.4.6-p12 and earlier
  • 2.4.5-p14 and earlier
  • 2.4.4-p15 and earlier

Adobe Commerce B2B versions:

  • 1.5.3-alpha2 and earlier
  • 1.5.2-p2 and earlier
  • 1.4.2-p7 and earlier
  • 1.3.4-p14 and earlier
  • 1.3.3-p15 and earlier

Impact & Exploit Potential

Successful exploitation of SessionReaper can result in severe consequences:

  • Customer account takeover
  • Remote code execution
  • Data breaches
  • Full store compromise

Security researchers at Sansec have compared SessionReaper to prior high-severity Magento vulnerabilities, such as CosmicSting, TrojanOrder, and Shoplift, all of which caused widespread breaches .

Observed Exploit Behavior:
Attackers have uploaded PHP web shells and executed phpinfo() probes to extract server configuration details.

Mitigation & Recommendations

Administrators should implement the following immediate mitigations:

  1. Apply the Official Patch: Upgrade to the latest secure release or deploy Adobe’s official patch.
  2. Web Application Firewall (WAF): Enable WAF protection for temporary mitigation. Sansec Shield and Adobe Fastly can block this specific attack.
  3. Scan for Compromises: Use malware scanners to detect potential compromises.
  4. Rotate Cryptographic Keys: Rotate CMS cryptographic keys to prevent attackers from persistently modifying content.

Indicators of Compromise (IOCs)

Sansec has identified active exploit IP addresses:

  • 34.227.25[.]4
  • 44.212.43[.]34
  • 54.205.171[.]35
  • 155.117.84[.]134
  • 159.89.12[.]166

These IPs have been observed delivering payloads, probing server configurations, or installing backdoors.

Tactics, Techniques, and Procedures (TTPs)

The MITRE ATT&CK framework maps the exploitation of SessionReaper to the following tactics:

  • TA0001 – Initial Access: Exploit a public-facing application
  • TA0002 – Execution: Execute arbitrary code via malicious file uploads
  • TA0003 – Persistence: Maintain access to compromised systems
  • TA0011 – Command and Control: Use web shells for remote control
  • T1190 – Exploit Public-Facing Application: Target exposed endpoints
  • T1505 – Server Software Component: Exploit vulnerable server components
  • T1505.003 – Web Shell: Leverage web shells for command execution

Current Threat Landscape

Despite the availability of a patch, only 38% of online Magento stores have applied protections, leaving 62% vulnerable. The slow adoption rate provides attackers a significant window to exploit this critical flaw.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.