Full Report
Six weeks after Adobe shipped an emergency fix, attackers have begun weaponizing SessionReaper — and most Magento stores still stand exposed. Security firm Sansec’s forensics team said it blocked hundreds of real-world exploitation attempts of the SessionReaper bug as proof-of-concept code and a technical write-up circulated publicly. For those who still have not patched this bug, Its a critical warning that widespread abuse would follow. What is SessionReaper Bug SessionReaper (CVE-2025-54236) is an unauthenticated, remote-code-execution flaw in Adobe Commerce / Magento that stems from nested deserialization in admin-facing functionality. Assetnote published the technical analysis that demonstrated how an attacker could craft requests to trigger object deserialization and run arbitrary PHP — a straight path to web shells and full shop takeover. With exploit details now public, Sansec researchers said the window for safe patching had effectively closed. Sansec researchers reported that only 38% of Magento stores had applied Adobe’s patch six weeks after disclosure, leaving roughly 62% vulnerable to automated scans and commodity exploit tooling. They also confirmed of blocking more than 250 exploitation attempts in a single day and observed initial payloads that delivered PHP webshells or phpinfo probes. The company published an initial set of attacker source IPs to help defenders triage incoming traffic. Also read: Adobe Issues Urgent Patch for ‘SessionReaper’ Vulnerability in Commerce and Magento Attackers Exploited Familiar eCommerce Playbook Researchers said the flow of the attack is not novel and has been observed earlier. The attackers scanned the web for reachable admin consoles, sent crafted HTTP requests to the vulnerable endpoint and dropped webshells to persist and pivot. Sansec compared SessionReaper’s potential impact to previous mass-compromise flaws such as Shoplift (2015) and CosmicSting (2024), both of which spawned waves of site-wide infections and payment-card skimming campaigns. With automated exploit scanners and proof-of-concept code circulating, researchers expect mass compromise within hours of public analysis. The defensive checklist that the researchers suggested remains simple but urgent. They urged store owners to deploy the vendor patch or upgrade to the latest security release immediately; to activate a web application firewall (WAF) if they cannot patch right away; and to run a thorough compromise scan for indicators such as unexpected PHP webshells, new files in webroot and suspicious scheduled tasks. They also advised searching logs for the IPs it observed to identify probing activity. The warning held particular weight because of the way ecommerce platforms amplify risk. Magento and Adobe Commerce sit at the intersection of payments, customer PII and third-party plugins. A single compromised admin console can let an attacker replace checkout pages, inject payment skimmers, and harvest credit-card data at scale. Attackers historically monetized these compromises rapidly, either by installing Magecart skimmers or building backend access for long-running fraud operations. Sansec’s timeline explicitly linked SessionReaper to that same class of high-impact supply-chain abuse. The SessionReaper episode offered two broader lessons. First, critical-path fixes for internet-facing infrastructure must move faster than the adversary’s ability to automate; Adobe’s patch arrived, but adoption lagged dangerously. Second, ecommerce operators needed layered controls. Patching alone would stop exploitation, but WAFs, hardened deployment practices, privilege separation and continuous file-integrity monitoring buy time when immediate patching proves difficult. Also read: Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products
Analysis Summary
This summary focuses on the threat described as "SessionReaper," which seems to be an ongoing exploitation campaign targeting Magento sites. Since the provided text is an article snippet and does not explicitly list CVEs, severity scores, specific versions, or PoC details associated with a named vulnerability (other than referencing Adobe patches), the following summary reflects the information available, noting areas where specific data is missing based *only* on the provided context.
# Vulnerability: SessionReaper Exploitation Campaign (Magento/Adobe Commerce)
## CVE Details
- CVE ID: Not explicitly provided in the context for the "SessionReaper" specific flaw, though general Adobe patching information is mentioned.
- CVSS Score: N/A (Not explicitly mentioned)
- CWE: N/A (Likely related to insufficient session management, deserialization, or file system access, based on impact)
## Affected Systems
- Products: Magento, Adobe Commerce
- Versions: Unspecified, but applies to versions that have **lagged on patching**.
- Configurations: Internet-facing ecommerce platforms utilizing Magento/Adobe Commerce that are not immediately applying security updates.
## Vulnerability Description
The context describes an active exploitation campaign dubbed "SessionReaper" targeting Magento and Adobe Commerce websites due to slow adoption of security patches released by Adobe. The primary risk involves administrators failing to patch time-sensitively. A successful compromise allows attackers to carry out high-impact supply-chain abuse, such as replacing checkout pages, injecting Magecart skimmers, and harvesting customer PII and credit card data at scale.
## Exploitation
- Status: **Exploited in the wild** (Explicitly stated that "Exploits Erupt").
- Complexity: Implied to be low to medium, as the successful exploitation relies on the adversary automating attacks against unpatched systems faster than organizations can deploy fixes.
- Attack Vector: Network (Remote exploitation of internet-facing infrastructure).
## Impact
- Confidentiality: **High** (Harvesting customer PII and credit-card data).
- Integrity: **High** (Ability to replace checkout pages and inject skimmers).
- Availability: Moderate (Potential availability impact if systems are locked down or compromised severely, though the primary focus is fraud).
## Remediation
### Patches
- Specific patch details are not provided, but the advice is to apply the **Adobe patch** immediately.
- The article also references a separate patch release from Adobe fixing over 60 vulnerabilities ("Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products"), implying necessary patches should be applied from recent security bulletins.
### Workarounds
- **Layered controls** are strongly recommended when immediate patching is difficult:
- Web Application Firewalls (WAFs).
- Hardened deployment practices.
- Privilege separation.
- Continuous file-integrity monitoring.
## Detection
- **Actionable Steps Recommended by Researchers:**
- Run a thorough compromise scan for indicators such as unexpected PHP webshells.
- Check for new files in the webroot.
- Scan for suspicious scheduled tasks.
- Search logs for the IPs observed during probing activity.
## References
- Vendor Advisories: General notification of the need to apply Adobe patches.
- Relevant links - defanged:
- hxxps://thecyberexpress.com/sessionreaper-exploits-erupt/
- hxxps://thecyberexpress.com/adobe-security-update-2/