Security researchers have confirmed that a dangerous vulnerability, called SessionReaper (CVE-2025-54236), is being exploited across online stores built on Adobe Commerce and Magento Open Source. Attackers use this flaw to hijack active customer sessions and, in some cases, to execute arbitrary code. Every store operator should patch immediately and strengthen API monitoring to prevent further compromise.
How the SessionReaper Exploit Works
SessionReaper exists because of improper input validation inside Adobe Commerce’s REST API. Attackers send specially crafted requests that trick the application into accepting a malicious session token. Once that token is processed, the attacker can act as a legitimate user. In many configurations, the exploit also provides access to system files and administrative panels. Therefore, it turns a simple session bug into a full privilege-escalation path.
Affected Versions and Current Exposure
According to Adobe’s advisory, all versions up to 2.4.9-alpha2 and 2.4.8-p2, along with corresponding Magento Open Source builds, are affected. Researchers from several monitoring firms report that roughly six out of ten stores have not yet applied the patch. As a result, unprotected systems remain exposed to automated scanning and exploitation campaigns that continue to grow daily.
Evidence of Active Attacks
Within hours of public disclosure, threat-intelligence teams observed widespread attacks. More than two hundred fifty exploit attempts appeared in a single day, originating from multiple IP ranges. Many compromised servers showed uploaded PHP webshells, altered configuration files, and sudden spikes in REST API traffic. Those artifacts confirm that attackers are chaining SessionReaper with secondary payloads to gain persistent control.
Detection and Mitigation
Administrators must first install the official Adobe Commerce patch. They should also update Web Application Firewall (WAF) rules to inspect incoming API requests for suspicious parameters. It helps to review webroot directories for newly created scripts and to rotate administrative credentials. Meanwhile, switching session storage from the local file system to a database or Redis back end reduces the risk of direct file tampering. Consistent monitoring with intrusion-detection sensors will further improve resilience.
Broader Security Lessons
The SessionReaper incident highlights a recurring weakness in e-commerce environments: slow patch cycles. Attackers exploit predictable maintenance delays rather than sophisticated zero-days. Because open-source ecosystems evolve quickly, every security team should automate vulnerability scanning and patch validation. Integrating those steps into continuous-deployment pipelines ensures that patches reach production before threat actors can weaponize them.
SessionReaper demonstrates how a single validation flaw can threaten thousands of businesses. Timely updates, layered defenses, and disciplined monitoring remain the strongest countermeasures. By addressing this issue now, administrators protect both their infrastructure and their customers’ trust.
FAQS
Q: What is SessionReaper?
SessionReaper (CVE-2025-54236) is a critical vulnerability in Adobe Commerce’s REST API that permits attacker-controlled session hijacks without user interaction.
Q: How can attackers exploit it?
They craft malicious input targeting the REST interface, exploit improper input validation and elevated privileges via default file-based session storage to hijack live sessions or drop web shells.
Q: Which versions are vulnerable?
All versions listed in Adobe’s advisory up to 2.4.9-alpha2 and earlier in Adobe Commerce and Magento Open Source.
Q: How widespread is the risk?
According to telemetry from Sansec, approximately 62 % of Adobe Commerce stores remained unpatched six weeks after the fix, exposing thousands of e-commerce sites to active attacks.
Q: What immediate steps should administrators take?
Apply the emergency patch immediately, deploy WAF protections, monitor for web shell indicators, review session storage settings, and validate patch status using vendor tools or scanning scripts.
