Adobe is facing active exploitation attempts targeting **CVE-2025-54236 (SessionReaper)**, a critical **Improper Input Validation** vulnerability in **Adobe Commerce and Magento Open Source**. The flaw allows attackers to **take over customer accounts** and, in certain configurations (e.g., file-based session storage), achieve **unauthenticated remote code execution (RCE)**. Over **250 exploitation attempts** were blocked in a single day, with expectations of **mass exploitation within 48 hours** due to publicly available exploit details.Only **38% of Magento stores** have applied the patch, leaving a vast majority exposed. Attackers are deploying **PHP webshells and phpinfo probes**, indicating reconnaissance for deeper compromise. The vulnerability affects multiple versions of Adobe Commerce, Magento Open Source, and B2B editions. While Adobe released a hotfix on **September 9, 2025**, the leak of technical details a week prior accelerated attacker activity. Sansec researchers warn of **automated scanning tools** emerging rapidly, increasing the risk of large-scale breaches. Administrators are urged to **patch immediately** and scan for signs of intrusion, as delayed action could lead to **widespread account takeovers, data theft, or financial fraud** through compromised e-commerce platforms.
Source: https://www.helpnetsecurity.com/2025/10/23/adobe-magento-cve-2025-54236-attack/
TPRM report: https://www.rankiteo.com/company/adobe-commerce
"id": "ado5132051102325",
"linkid": "adobe-commerce",
"type": "Vulnerability",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology',
'location': 'Global',
'name': 'Adobe (Adobe Commerce)',
'size': 'Large Enterprise',
'type': 'Software Vendor'},
{'customers_affected': 'Potentially all unpatched '
'stores (62% as of report)',
'industry': 'Retail',
'location': 'Global',
'name': 'Multiple Magento Open Source Users',
'size': ['SMB', 'Enterprise'],
'type': ['E-commerce Businesses', 'Online Retailers']}],
'attack_vector': ['Network-Based',
'Exploitation of Public-Facing Application'],
'customer_advisories': ['Monitor accounts for unauthorized activity',
'Report suspicious login attempts'],
'data_breach': {'data_exfiltration': ['Potential (if RCE achieved)'],
'file_types_exposed': ['Potential: PHP files (webshells)',
'Session files',
'Database dumps (if RCE)'],
'personally_identifiable_information': ['Potential (if '
'customer accounts '
'compromised)'],
'sensitivity_of_data': ['High (if PII or payment data '
'accessed)'],
'type_of_data_compromised': ['Potential: Customer Account '
'Credentials',
'Session Data',
'Sensitive Information (if RCE '
'achieved)']},
'date_detected': '2025-09-11',
'date_publicly_disclosed': '2025-09-11',
'description': "Attackers are exploiting CVE-2025-54236, a critical 'Improper "
"Input Validation' vulnerability (dubbed 'SessionReaper') in "
'Adobe Commerce and Magento Open Source. The flaw may allow '
'attackers to take over customer accounts or achieve '
'unauthenticated remote code execution (RCE) under certain '
'conditions (e.g., file-based session storage). Over 250 '
'exploitation attempts were blocked on Wednesday, with '
'expectations of mass exploitation within 48 hours due to '
'public exploit details. Only 38% of Magento stores are '
'patched, leaving a majority vulnerable. Attack payloads '
'include PHP webshells and phpinfo probes.',
'impact': {'brand_reputation_impact': ['Potential Reputation Damage if '
'Breached'],
'data_compromised': ['Potential Customer Account Takeover',
'Potential Sensitive Data Exposure (if RCE '
'achieved)'],
'identity_theft_risk': ['High (if customer accounts compromised)'],
'operational_impact': ['Increased Risk of Compromise',
'Urgent Patching Required',
'Incident Response Activation'],
'payment_information_risk': ['Potential (if RCE leads to database '
'access)'],
'systems_affected': ['Adobe Commerce', 'Magento Open Source']},
'investigation_status': 'Ongoing (active exploitation attempts being '
'monitored)',
'lessons_learned': ['Critical vulnerabilities in widely-used e-commerce '
'platforms are prime targets for mass exploitation.',
'Delayed patching significantly increases risk (only 38% '
'patched at time of attacks).',
'Public disclosure of exploit details accelerates '
'attacker activity (mass exploitation expected within 48 '
'hours).',
'File-based session storage introduces higher risk of RCE '
'in this vulnerability.'],
'motivation': ['Opportunistic',
'Financial Gain (Potential)',
'Data Theft (Potential)',
'Unauthorized Access'],
'post_incident_analysis': {'corrective_actions': ['Apply security patches '
'promptly upon release.',
'Review and harden session '
'storage mechanisms.',
'Implement network-level '
'protections (e.g., WAF '
'rules) for critical '
'vulnerabilities.',
'Enhance monitoring for '
'exploitation attempts '
'post-disclosure.'],
'root_causes': ['Improper input validation in '
'session handling '
'(CVE-2025-54236).',
'Delayed patching by majority of '
'users (62% unpatched at time of '
'attacks).',
'File-based session storage '
'increasing severity to RCE in '
'some configurations.']},
'recommendations': ['Immediately apply the Adobe hotfix or upgrade to the '
'latest secure version of Adobe Commerce/Magento Open '
'Source.',
'Audit session storage configurations (prioritize moving '
'away from file-based storage if possible).',
'Monitor for indicators of compromise (e.g., PHP '
'webshells, unusual phpinfo requests).',
'Block known malicious IPs associated with exploitation '
'attempts (shared by Sansec).',
'Enable WAF rules to detect and block SessionReaper '
'exploitation patterns.',
'Conduct a thorough review of customer accounts for signs '
'of unauthorized access.',
'Educate customers on phishing risks, as compromised '
'accounts may be used for further attacks.'],
'references': [{'date_accessed': '2025-09-11',
'source': 'Sansec Research Advisory'},
{'date_accessed': '2025-09-11',
'source': 'Assetnote/Searchlight Cyber Technical Deep-Dive by '
'Tomais Williamson'},
{'date_accessed': '2025-09-09',
'source': 'Adobe Security Bulletin for CVE-2025-54236'}],
'regulatory_compliance': {'regulatory_notifications': ['Potential GDPR/CCPA '
'Notifications if PII '
'Breached']},
'response': {'communication_strategy': ['Public Advisory by Sansec',
'Technical Deep-Dive by Assetnote',
'Urgent Patching Recommendations'],
'containment_measures': ['Blocking Exploit Attempts (250+ '
'blocked)',
'IP Blacklisting'],
'enhanced_monitoring': ['Monitor for Exploitation Attempts',
'Scan for Webshells/phpinfo Probes'],
'incident_response_plan_activated': True,
'remediation_measures': ['Apply Adobe Hotfix (released '
'2025-09-09)',
'Upgrade to Latest Secure Version',
'Scan for Signs of Compromise'],
'third_party_assistance': ['Sansec',
'Assetnote/Searchlight Cyber']},
'stakeholder_advisories': ['Urgent patching recommended for all Adobe '
'Commerce/Magento Open Source users'],
'title': 'Exploitation Attempts Targeting CVE-2025-54236 (SessionReaper) in '
'Adobe Commerce and Magento Open Source',
'type': ['Vulnerability Exploitation',
'Unauthorized Access',
'Potential Remote Code Execution (RCE)',
'Account Takeover'],
'vulnerability_exploited': {'affected_versions': {'Adobe Commerce B2B': ['1.5.3-alpha2 '
'and '
'earlier',
'1.5.2-p2 '
'and '
'earlier',
'1.4.2-p7 '
'and '
'earlier',
'1.3.4-p14 '
'and '
'earlier',
'1.3.3-p15 '
'and '
'earlier'],
'Adobe Commerce/Magento Open Source': ['2.4.9-alpha2 '
'and '
'earlier',
'2.4.8-p2 '
'and '
'earlier',
'2.4.7-p7 '
'and '
'earlier',
'2.4.6-p12 '
'and '
'earlier',
'2.4.5-p14 '
'and '
'earlier',
'2.4.4-p15 '
'and '
'earlier']},
'cve_id': 'CVE-2025-54236',
'exploit_publicly_available': True,
'name': 'SessionReaper',
'patch_available': True,
'patch_leaked_prior': True,
'patch_release_date': '2025-09-09',
'type': 'Improper Input Validation'}}