Magento attack
Categories

Over 250 Magento Stores Compromised as Hackers Exploit Adobe Commerce Flaw

Over 250 Magento and Adobe Commerce stores have been compromised following the discovery of a critical vulnerability known as CVE-2025-54236, or “SessionReaper.” The flaw allows remote attackers to execute arbitrary commands through the Commerce REST API, giving them full control over vulnerable servers. Security researchers have confirmed that the exploit is being actively used in the wild, with mass attacks observed across hundreds of online stores.

Threat Summary Table

Vulnerability CVE-2025-54236 (SessionReaper)
CVSS Score 9.1 (Critical)
Product Affected Adobe Commerce and Magento Open Source (2.4.9-alpha2 and earlier)
Attack Type Remote Code Execution via Commerce REST API
Impact Account takeover, PHP webshell uploads, and server compromise
Discovery Blaklis (Security Researcher)
First Reported Exploitation October 22, 2025
Primary Keyword Magento

Overview of the SessionReaper Exploit

The vulnerability, first reported by researcher Blaklis and tracked as CVE-2025-54236, affects all on-premise versions of Adobe Commerce and Magento Open Source. It results from improper input validation within the Commerce REST API, which allows attackers to hijack customer sessions and execute malicious code without authentication. Adobe patched the issue in September 2025, but widespread exploitation began just six weeks later, when many stores remained unpatched.

Security company Sansec reported detecting more than 250 attacks in less than 24 hours, with the majority of probes originating from compromised servers across the United States. The firm noted that 62% of all Magento installations were still vulnerable at the time of discovery, creating a large pool of exploitable targets for cybercriminals.

Technical Details and Exploitation Method

The SessionReaper exploit abuses a deserialization flaw that enables remote code execution through manipulated API requests. Attackers use this vulnerability to upload PHP backdoors disguised as customer session files through the “/customer/address_file/upload” endpoint. Once uploaded, these files act as webshells, granting attackers persistent access to the underlying server.

Sansec’s analysis confirmed that several of the malicious uploads were simple PHP shells capable of executing arbitrary commands or extracting PHP configuration data using functions such as phpinfo() and echo(). Attackers were observed connecting from multiple IP addresses, including:

  • 34.227.25[.]4
  • 44.212.43[.]34
  • 54.205.171[.]35
  • 155.117.84[.]134
  • 159.89.12[.]166

According to cybersecurity experts, the attacks are designed to establish initial footholds that can later be leveraged for larger-scale data breaches, card skimming, or ransomware deployment. The same threat actors have also been seen deploying the Havoc post-exploitation framework to execute commands, gather credentials, and move laterally across compromised systems.

Comparison to Previous Magento Exploits

CVE-2025-54236 is the second major deserialization flaw to affect Magento in as many years. In 2024, the CosmicSting vulnerability (CVE-2024-34102) was exploited in widespread campaigns that compromised thousands of eCommerce sites. Earlier historic threats such as TrojanOrder (2022) and Shoplift (2015) followed similar patterns, demonstrating how vulnerable unpatched installations can become within hours of exploit publication.

Adobe confirmed that CVE-2025-54236 has been exploited in the wild and issued a critical priority patch (Priority 1), recommending immediate deployment across all Commerce and Magento versions between 2.4.4 and 2.4.9. Attackers are believed to have automated exploit scripts that scan for unpatched systems, leading to rapid infection spikes.

Evidence of Widespread Compromise

Sansec’s October 26 update reported that nearly 49% of all Magento stores were targeted in coordinated attacks, with up to 18% showing signs of active compromise or backdoor injection. These figures were later supported by data from Akamai, which observed over 300 exploitation attempts targeting 130 different hosts over a 48-hour period.

The payloads delivered via SessionReaper are primarily PHP-based backdoors, allowing remote command execution, file uploads, and credential theft. Some attacks also used reconnaissance probes to gather detailed information about server configurations, installed extensions, and PHP versions before launching further exploits.

Indicators of Compromise

Indicator Type Description
CVE-2025-54236 Vulnerability Improper input validation in Adobe Commerce REST API
/customer/address_file/upload Path Endpoint used to upload malicious PHP files
34.227.25[.]4 IP Address Observed in active exploitation attempts
54.205.171[.]35 IP Address Used to deliver webshell payloads
phpinfo() Function Used for reconnaissance during exploitation
eComscan Tool Recommended malware scanner for Magento sites

Mitigation and Response Recommendations

All Magento and Adobe Commerce administrators should immediately apply Adobe’s security hotfix for CVE-2025-54236 or upgrade to the latest supported version. Failure to patch leaves eCommerce environments vulnerable to complete takeover and data theft. Additional recommendations include:

  • Apply the latest hotfix available for all Magento versions between 2.4.4 and 2.4.9.
  • Temporarily restrict REST API access or place it behind authentication until patched.
  • Enable and configure a website malware scanner to detect PHP webshells and unauthorized file uploads.
  • Review all “/customer/” directories for unusual files and check for unauthorized admin accounts.
  • Block the malicious IP addresses associated with the campaign.
  • Regularly back up site data and database content to ensure recoverability after compromise.
  • Use updated antivirus and anti-malware protection on all administrative endpoints.

Outlook and Risk Assessment

The ongoing exploitation of CVE-2025-54236 highlights the persistent challenges faced by online merchants and web administrators. With nearly two-thirds of Magento stores unpatched at the time of exploitation, SessionReaper represents one of the most dangerous eCommerce vulnerabilities of the year.

Security experts anticipate that automated scanning and mass exploitation will continue as proof-of-concept tools spread across underground forums. For store owners, proactive patching and strong cybersecurity hygiene remain the most effective defenses against these high-impact web attacks.

Written by

Sean Doyle

Sean is a distinguished tech author and entrepreneur with over 20 years of extensive experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. His expertise and contributions to the industry have been recognized in numerous esteemed publications. Sean is widely acclaimed for his sharp intellect and innovative insights, solidifying his reputation as a leading figure in the tech community. His work not only advances the field but also helps businesses and individuals navigate the complexities of the digital world.

More Reading

Post navigation

Leave a Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.