Adobe

Active Exploitation of CVE-2025-54236: Magento SessionReaper Attacks

Hackers are actively exploiting CVE-2025-54236, a critical Magento SessionReaper vulnerability that enables customer session hijacking and data theft. Learn impact, IOCs, and how to patch fast.

J

J

3 min read
Cybersecurity threat visual representing Magento SessionReaper exploit CVE-2025-54236.

The active exploitation of CVE-2025-54236 poses a grave threat to Magento users, enabling attackers to hijack customer sessions and access sensitive information. This vulnerability arises from improper input validation and impacts multiple versions of Adobe Commerce. Following the release of exploit code, over 250 stores faced compromise within a single day. As a result, consumer trust is jeopardized, and immediate action is required to rectify the situation.

Understanding the SessionReaper Vulnerability

Although the SessionReaper vulnerability, tracked as CVE-2025-54236, may seem technical, its security implications are profound.

This critical flaw in Adobe Commerce's REST API allows attackers to hijack customer sessions without requiring user authentication or interaction. The vulnerability stems from improper input validation and unsafe handling of serialized data, affecting multiple versions of Magento and Adobe Commerce.

With over 250 active exploitation attempts recorded in a single day, primarily targeting the /customer/address_file/upload endpoint, the urgency for remediation is apparent.

Over 250 exploitation attempts in just one day highlight the urgent need for remediation against this vulnerability.

Despite an emergency patch being released, approximately 62% of Magento stores remain unpatched and vulnerable. The ease with which the SessionReaper vulnerability can be exploited raises significant concerns about data security and the potential for account takeovers.

Impact on Online Stores and Consumers

The exploitation of CVE-2025-54236 poses significant threats to both online stores and their consumers.

Attackers can hijack live customer sessions, leading to unauthorized access to personal and payment information without requiring a password, resulting in account takeover. Over 250 Magento stores were compromised shortly after the release of the exploit code, indicating a rapid spread of attacks.

In addition, approximately 62% of Magento stores remained unpatched six weeks later, leaving them exposed.

Compromised stores face severe consequences, including data theft and fraudulent orders, as well as the risk of skimmer code injection to capture credit card details.

This security feature bypass undermines consumer trust in e-commerce platforms, potentially causing long-term damage to affected businesses and leading to consumer reluctance to engage online.

Identifying Signs of Compromise

Detecting signs of compromise is essential for mitigating the risks associated with CVE-2025-54236.

Indicators of potential session hijacking include spikes in REST API traffic directed at customer-authentication or session endpoints, suggesting unauthorized access attempts. Rapid anonymous API requests followed by unusual account activities, such as password resets or address changes, may also indicate compromised sessions.

Be vigilant for sudden spikes in REST API traffic and unusual account activities, as these may signal session hijacking attempts.

Moreover, multiple accounts accessed from the same IP address or user agent within a brief timeframe raise red flags for exploitation. Suspicious user-agent strings associated with clusters of account actions can indicate automated probing.

Additionally, log analysis revealing access to the exploit endpoint (/customer/address_file/upload) or requests for phpinfo() serve as strong indicators of compromise related to this vulnerability.

Applying immediate remediation steps is essential to counter the risks posed by CVE-2025-54236.

Security researchers emphasize the urgent need for store owners to apply the emergency patch, as 62% of Magento stores remain unpatched weeks after its release.

Following the patch application, it is critical to invalidate all active sessions and rotate integration tokens and API keys to reduce the risk of account compromise.

Implementing a Web Application Firewall (WAF) provides an additional security layer during this process.

Regular scans for indicators of compromise, particularly unusual access patterns, are also recommended remediation steps to detect potential exploitation.

Moreover, educating staff on recognizing suspicious activities enhances an organization’s ability to respond effectively to security threats.

The Future of Security in E-Commerce Platforms

How can e-commerce platforms effectively safeguard against the increasing sophistication of cyber threats?

The recent exploitation of CVE-2025-54236, known as SessionReaper, underscores the critical need for enhanced e-commerce security measures.

With over 250 Magento stores compromised shortly after the exploit's release, the urgency for timely patching and proactive security protocols is evident.

The swift compromise of over 250 Magento stores highlights the critical need for timely security updates and proactive measures.

Approximately 62% of stores remained unpatched weeks later, revealing a significant vulnerability within e-commerce practices.

To combat such threats, platforms must adopt layered security strategies that leverage web application firewalls (WAFs) and continuous monitoring to protect against vulnerabilities.

As cyber threats evolve, securing payment data and personal information will be essential for maintaining consumer trust and ensuring the longevity of e-commerce systems in a competitive landscape.

External References

Read more

© 2025 Threat On The Wire. All rights reserved.