Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | SessionReaper (CVE-2025-54236): Critical Adobe Commerce Vulnerability Actively Exploited
Oct 23, 2025
5 Mins Read
Moon

SessionReaper (CVE-2025-54236): Critical Adobe Commerce Vulnerability Actively Exploited

A new wave of attacks is targeting online stores running Adobe Commerce. Weeks after Adobe released a critical update, threat actors have begun exploiting a flaw called SessionReaper (CVE-2025-54236). This post breaks down what the vulnerability is, why it matters, who’s affected, and what store owners should do right now.

What Is CVE-2025-54236 (SessionReaper)?

CVE-2025-54236 (CVSS 9.1), dubbed SessionReaper, is a critical improper input validation vulnerability in Adobe Commerce and Magento Open Source.

The flaw affects the Commerce REST API and can let an attacker take over customer sessions without any user action.

Details of CVE-2025-54236 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-54236 (SOCRadar Vulnerability Intelligence)

Adobe’s advisory (last updated September 22, 2025) states that the company had no evidence of exploitation in the wild at the time of writing. Active exploitation was reported roughly six weeks after the emergency patch’s release, with 250+ attempts in a day.

Which Products and Versions Are Affected?

According to Adobe’s guidance, multiple releases are impacted:

  • Adobe Commerce (all deployments): 2.4.9-alpha2 and earlier; 2.4.8-p2 and earlier; 2.4.7-p7 and earlier; 2.4.6-p12 and earlier; 2.4.5-p14 and earlier; 2.4.4-p15 and earlier.
  • Magento Open Source: 2.4.9-alpha2 and earlier; 2.4.8-p2 and earlier; 2.4.7-p7 and earlier; 2.4.6-p12 and earlier; 2.4.5-p14 and earlier.
  • Adobe Commerce B2B: 1.5.3-alpha2 and earlier; 1.5.2-p2 and earlier; 1.4.2-p7 and earlier; 1.3.4-p14 and earlier; 1.3.3-p15 and earlier.
  • Custom Attributes Serializable module: versions 0.1.0–0.3.0 must be upgraded to 0.4.0+.

Adobe also notes that the attack path involves the Commerce REST API and that a successful exploit could let an attacker take over customer accounts.

How Are Attackers Exploiting SessionReaper in the Wild?

Sansec confirmed active exploitation and reported that their protections blocked more than 250 attempts in a single day. Attackers have been observed sending payloads that result in PHP webshells or phpinfo probes, which are used to check configuration and look for exploitable variables.

The security firm’s bulletin lists source IPs linked to the campaign and warns that automated tooling will accelerate attacks now that exploit details are public. The IPs observed so far include:

  • 34.227.25.4
  • 44.212.43.34
  • 54.205.171.35
  • 155.117.84.134
  • 159.89.12.166
SOCRadar’s Cyber Threat Intelligence module, Vulnerability Intelligence

SOCRadar’s Cyber Threat Intelligence module, Vulnerability Intelligence

When an exploit comes under active abuse, speed matters, you need fast, accurate signals (CVE updates, Proof-of-Concept exploit sightings, IoCs…) and a way to prioritize which assets are at highest risk.

SOCRadar’s Cyber Threat Intelligence module continuously tracks CVEs and vendor advisories, correlates exploit activity and public writeups, and surfaces high-confidence alerts for affected instances of your digital assets.

How Dangerous Is the SessionReaper Vulnerability?

Two factors make SessionReaper particularly severe:

  • Default session storage: many stores use file-system session storage by default, which makes the exploit easier to trigger.
  • Public technical writeups and leaked patches: a leaked hotfix and detailed analyses (including a technical write-up by Assetnote, hosted by Searchlight Cyber) revealed how nested deserialization could enable Remote Code Execution (RCE), giving attackers a template to weaponize the issue.

Moreover, researchers say SessionReaper is comparable to past high-impact Magento bugs like CosmicSting, Shoplift and TrojanOrder.

How Many Stores Remain Vulnerable?

Patch adoption has lagged. Sansec telemetry shows that roughly 62% of Magento stores are still unpatched, meaning automated exploit kits can target a large pool of victims. Ten days after the fix was released, only about one-third of stores had applied it; about six weeks later, the figure had improved only marginally, leaving 3 in 5 stores exposed.

What Immediate Steps Should Administrators Take?

Follow Adobe’s remediation guidance and apply the hotfix (VULN-32437-2-4-X-patch) or upgrade to a patched release. Key actions include:

  • Apply the hotfix now: Follow Adobe’s patch instructions and test in staging before production.
  • Verify patch application: Run vendor/bin/magento-patches -n status and confirm the VULN-32437-2-4-X-patch entry shows Applied (you can pipe to grep “VULN-32437|Status” to filter the output).
  • Enable or review WAF rules: Adobe deployed WAF protections for Commerce Cloud, but WAFs are a stopgap, not a replacement for the hotfix.
  • Scan for compromise: Run a malware scanner and review logs for suspicious uploads or phpinfo probes.
  • Update modules: If you use the Custom Attributes Serializable module, upgrade it to 0.4.0+ via composer require magento/out-of-process-custom-attributes=0.4.0 –with-dependencies

What Indicators of Compromise (IoCs) Should I Look For?

Look for unexpected PHP files (webshells), unusual phpinfo() responses, spikes in POST requests to REST API endpoints, or new user sessions created without corresponding user actions. Also, the IP addresses seen in recent attack traffic can be used for temporary blocklisting.

SOCRadar’s Attack Surface Management (ASM) module, Company Vulnerabilities

SOCRadar’s Attack Surface Management (ASM) module, Company Vulnerabilities

SOCRadar’s Cyber Threat Intelligence and Attack Surface Management (ASM) modules can work together to strengthen your defenses. The CTI module provides timely updates about vulnerabilities like CVE-2025-54236, including exploit details, to help teams respond quickly. In parallel, the ASM module continuously identifies exposed assets, correlates them with vulnerability data, and helps prioritize patching by risk level.

Using both modules enables security teams to detect threats, discover at-risk assets such as Adobe Commerce or Magento, and sustain ongoing visibility and monitoring without delay.

Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
Jun 05, 2026
SOCRadar® Cyber Intelligence Inc. | HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
Jun 04, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
Free Dark Web Report
Is your Domain Exposed? Find Out.