Hackers are actively exploiting **CVE-2025-54236 (SessionReaper)**, a critical **improper input validation vulnerability** in Adobe Commerce (formerly Magento). The flaw allows attackers to **take over customer accounts via the Commerce REST API without user interaction**, potentially leading to **unauthorized access to sensitive customer data, financial fraud, or full account compromise**.Over **250 exploitation attempts** were blocked in a single day, with **62% of Magento stores remaining unpatched** and vulnerable. Attackers are deploying **PHP webshells and reconnaissance probes (phpinfo)** to assess system configurations, escalating the risk of **large-scale data breaches or financial theft**. The vulnerability affects multiple versions, including **2.4.9-alpha2, 2.4.8-p2, and earlier**, with default configurations (file-based session storage) being the primary attack vector.Adobe issued an **emergency patch**, but slow adoption—only **40% of stores patched after six weeks**—exposes thousands of e-commerce platforms to **account takeovers, payment fraud, and reputational damage**. Security firms warn of **increased attack volumes** following public technical analyses, urging immediate patching to prevent **widespread customer data compromise and operational disruptions**.
TPRM report: https://www.rankiteo.com/company/adobe-commerce
"id": "ado0402304102325",
"linkid": "adobe-commerce",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Retail/E-Commerce',
'location': 'Global',
'name': 'Adobe Commerce (Magento) Users',
'type': ['E-Commerce Platforms', 'Online Stores']}],
'attack_vector': ['Network-Based',
'Exploitation of Public-Facing Application (CVE-2025-54236)',
'REST API Abuse'],
'customer_advisories': ['Users of Adobe Commerce/Magento stores should:',
'- Change passwords if suspicious activity is '
'detected.',
'- Enable multi-factor authentication (MFA) where '
'available.',
'- Monitor transaction histories for fraud.'],
'data_breach': {'data_exfiltration': ['Potential (Via PHP Webshells or '
'Probes)'],
'personally_identifiable_information': ['Potential (If '
'Session Data '
'Includes PII)'],
'sensitivity_of_data': ['High (If Sessions Include PII or '
'Payment Data)'],
'type_of_data_compromised': ['Session Data (Potential)',
'Customer Account Access (If '
'Exploited)']},
'date_detected': '2025-09-08',
'date_publicly_disclosed': '2025-09-08',
'description': 'Hackers are actively exploiting the critical SessionReaper '
'vulnerability (CVE-2025-54236) in Adobe Commerce (formerly '
'Magento) platforms, with hundreds of attempts recorded. The '
'flaw, an improper input validation issue, allows attackers to '
'take control of account sessions without user interaction via '
'the Commerce REST API. Sansec detected and blocked over 250 '
'exploitation attempts from five IP addresses, primarily '
'deploying PHP webshells or phpinfo probes. As of the report, '
'62% of Magento stores remain unpatched and vulnerable.',
'impact': {'brand_reputation_impact': ['High (Due to Widespread Vulnerability '
'and Active Exploitation)'],
'data_compromised': ['Potential Customer Account Data (Session '
'Hijacking)'],
'identity_theft_risk': ['High (If Customer Sessions Compromised)'],
'operational_impact': ['Risk of Account Takeovers',
'Unauthorized Access to Customer Sessions'],
'payment_information_risk': ['Potential (If Session Data Includes '
'Payment Tokens)'],
'systems_affected': ['Adobe Commerce (Magento) Platforms '
'(Versions: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, '
'2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and '
'earlier)']},
'initial_access_broker': {'backdoors_established': ['PHP Webshells (Observed '
'in Attacks)'],
'entry_point': ['Exploiting CVE-2025-54236 via REST '
'API'],
'high_value_targets': ['Customer Session Data',
'Payment Information (If '
'Accessible)'],
'reconnaissance_period': ['Likely minimal '
'(Opportunistic scans for '
'unpatched systems)']},
'investigation_status': 'Ongoing (Active Exploitation Confirmed; Patch '
'Adoption Monitored)',
'lessons_learned': ['Critical vulnerabilities in widely used e-commerce '
'platforms can lead to rapid, large-scale exploitation if '
'left unpatched.',
'Default configurations (e.g., file-system session '
'storage) can exacerbate risk.',
'Slow patch adoption (62% unpatched after 6 weeks) '
'highlights the need for automated update mechanisms or '
'stricter enforcement.'],
'motivation': ['Opportunistic', 'Financial Gain (Potential)', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Adobe: Release emergency '
'patch and public advisory.',
'Sansec: Deploy detection '
'rules and block '
'exploitation attempts.',
'Store Administrators: '
'Apply patches, reconfigure '
'session storage, and '
'monitor for IoCs.'],
'root_causes': ['Improper input validation in '
'Adobe Commerce REST API '
'(CVE-2025-54236).',
'Default insecure session storage '
'configuration (file-system).',
'Delayed patch adoption by store '
'administrators.']},
'recommendations': ["Immediately apply Adobe's security patch for "
'CVE-2025-54236.',
'Audit session storage configurations; avoid file-system '
'storage if possible.',
'Deploy WAF rules or intrusion detection (e.g., Sansec '
'Shield) to block exploitation attempts.',
'Monitor for unusual REST API activity or PHP webshell '
'artifacts.',
'Educate customers on recognizing unauthorized account '
'access.'],
'references': [{'date_accessed': '2025-09-08',
'source': 'Adobe Security Bulletin (CVE-2025-54236)'},
{'date_accessed': '2025-10-20 (approx., 6 weeks post-patch)',
'source': 'Sansec Bulletin on SessionReaper Exploitation'},
{'date_accessed': '2025-10-20 (approx.)',
'source': 'Searchlight Cyber Technical Analysis'}],
'response': {'communication_strategy': ['Public Advisory by Adobe '
'(2025-09-08)',
'Sansec Bulletin',
'Searchlight Cyber Technical '
'Analysis'],
'containment_measures': ['Blocking Exploitation Attempts (Sansec '
'Shield)',
'Patching Vulnerability (Recommended)'],
'enhanced_monitoring': ['Sansec Shield (Ongoing Detection)'],
'incident_response_plan_activated': ['Sansec Shield '
'Detection/Blocking'],
'remediation_measures': ['Apply Adobe Security Update',
'Mitigations per Adobe Advisory'],
'third_party_assistance': ['Sansec (Detection/Analysis)',
'Searchlight Cyber (Technical '
'Analysis)']},
'stakeholder_advisories': ['Adobe Commerce Administrators: Urgent patching '
'required.',
'E-Commerce Security Teams: Monitor for indicators '
'of compromise (IoCs) tied to the 5 attacker IPs.',
'Customers: Watch for unauthorized account '
'activity.'],
'title': 'Active Exploitation of SessionReaper Vulnerability (CVE-2025-54236) '
'in Adobe Commerce (Magento)',
'type': ['Vulnerability Exploitation',
'Unauthorized Access',
'Session Hijacking'],
'vulnerability_exploited': 'CVE-2025-54236 (Improper Input Validation in '
'Adobe Commerce/Magento)'}