A coordinated cyberattack has successfully compromised more than 250 Adobe Commerce and Magento Open Source e-commerce stores within a 24-hour period, exploiting a recently disclosed critical vulnerability. E-commerce security firm Sansec has issued an urgent warning as threat actors actively leverage CVE-2025-54236, also known as “SessionReaper,” to hijack customer accounts and deploy malicious backdoors across vulnerable platforms.
This attack represents one of the most significant e-commerce security incidents of 2025, with an estimated 62% of all Magento stores remaining vulnerable six weeks after Adobe released security patches.
Vulnerability Overview: CVE-2025-54236 (SessionReaper)
Technical Specifications
| Attribute | Details |
|---|---|
| CVE Identifier | CVE-2025-54236 |
| Common Name | SessionReaper |
| CVSS Score | 9.1 (Critical) |
| Vulnerability Type | Improper Input Validation / Nested Deserialization |
| Attack Vector | Network (Remote) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Affected Systems | Adobe Commerce & Magento Open Source |
| Disclosure Date | September 2025 |
| Patch Release | September 2025 |
| Active Exploitation | Confirmed (October 2025) |
How the Vulnerability Works
SessionReaper exploits a nested deserialization flaw in the Commerce REST API, allowing attackers to:
- Bypass authentication mechanisms through improper input validation
- Execute arbitrary PHP code remotely on vulnerable servers
- Upload malicious webshells via the
/customer/address_file/uploadendpoint - Hijack customer accounts without authentication
- Extract sensitive configuration data through phpinfo probes
The vulnerability requires no user interaction and can be exploited remotely with minimal technical complexity, making it particularly dangerous for automated attacks.
Attack Statistics and Impact Analysis
Attack Volume Breakdown
| Metric | Value | Timeframe |
|---|---|---|
| Total Stores Attacked | 250+ | 24 hours |
| Attack Attempts Recorded | 250+ | 24 hours |
| Vulnerable Stores (Estimated) | 62% of all Magento stores | As of October 2025 |
| Time Since Patch Release | 6 weeks | September – October 2025 |
| Patch Adoption Rate | 38% | 6 weeks post-disclosure |
| Attack Success Rate | Under investigation | Ongoing |
Geographic Distribution of Attacks
Based on preliminary analysis, attacks have targeted stores globally with concentration in:
| Region | Estimated Targets | Percentage |
|---|---|---|
| North America | 95+ stores | 38% |
| Europe | 75+ stores | 30% |
| Asia-Pacific | 50+ stores | 20% |
| Other Regions | 30+ stores | 12% |
Note: Geographic data is estimated based on store locations and may not reflect actual compromise rates.
Threat Actor Infrastructure
Confirmed Attack Sources
Security researchers have identified the following IP addresses actively exploiting CVE-2025-54236:
| IP Address | Location | Hosting Provider | Attack Type |
|---|---|---|---|
| 34.227.25.4 | US (Virginia) | Amazon AWS | Webshell Deployment |
| 44.212.43.34 | US (Virginia) | Amazon AWS | Webshell Deployment |
| 54.205.171.35 | US (Virginia) | Amazon AWS | Webshell Deployment |
| 155.117.84.134 | Netherlands | Unknown | phpinfo Probing |
| 159.89.12.166 | Netherlands | DigitalOcean | phpinfo Probing |
Attack Methodology
Attackers are employing a two-stage exploitation strategy:
Stage 1: Reconnaissance
- Probing phpinfo endpoints to extract PHP configuration details
- Identifying vulnerable Magento versions
- Mapping server architecture and security configurations
Stage 2: Exploitation
- Exploiting CVE-2025-54236 through Commerce REST API
- Uploading PHP backdoors disguised as fake session files
- Deploying webshells via
/customer/address_file/upload - Establishing persistent access for future operations
Historical Context: Magento Deserialization Vulnerabilities
This is not the first time Magento platforms have faced critical deserialization vulnerabilities. Here’s a comparison:
Vulnerability Comparison Table
| Vulnerability | CVE-2024-34102 (CosmicSting) | CVE-2025-54236 (SessionReaper) |
|---|---|---|
| Discovery Date | July 2024 | September 2025 |
| CVSS Score | 9.8 (Critical) | 9.1 (Critical) |
| Vulnerability Type | XXE + Deserialization | Nested Deserialization |
| Exploitation Difficulty | Low | Low |
| Time to Active Exploitation | ~2 weeks | ~6 weeks |
| Patch Adoption (6 weeks) | ~45% | ~38% |
| Known Compromises | Thousands | 250+ (ongoing) |
| Primary Attack Vector | XML External Entity | REST API Input Validation |
Key Observation
The pattern of slow patch adoption continues to plague the Magento ecosystem, with only 38% of stores applying critical security updates within six weeks—a 7% decrease compared to the CosmicSting incident.
Technical Deep Dive: Nested Deserialization Exploit
According to detailed analysis by Searchlight Cyber, CVE-2025-54236 represents a sophisticated nested deserialization vulnerability that enables remote code execution through the following mechanism:
Exploitation Chain
1. Attacker sends crafted REST API request
↓
2. Improper input validation allows malicious serialized data
↓
3. Nested deserialization triggers in customer session handler
↓
4. PHP object instantiation with attacker-controlled properties
↓
5. Magic methods (__destruct, __wakeup) execute arbitrary code
↓
6. Webshell uploaded as fake session file
↓
7. Persistent backdoor access established
Code Execution Path
The vulnerability exploits PHP’s object deserialization in the customer address upload functionality:
Attack Endpoint: /rest/V1/customer/address_file/upload
Exploit Vector: Crafted session data containing serialized PHP objects
Result: Remote code execution with web server privileges
Impact Assessment
Potential Consequences for Compromised Stores
| Impact Category | Severity | Description |
|---|---|---|
| Customer Data Breach | Critical | Full access to customer accounts, personal information, payment details |
| Payment Card Theft | Critical | Potential installation of credit card skimmers |
| Administrative Takeover | High | Complete control over store backend and operations |
| Malware Distribution | High | Ability to serve malware to customers |
| SEO Poisoning | Medium | Injection of malicious links and content |
| Service Disruption | Medium | Potential for ransomware or data destruction |
| Reputational Damage | High | Loss of customer trust and brand value |
| Regulatory Penalties | High | GDPR, PCI-DSS, and other compliance violations |
Financial Impact Estimates
Based on similar e-commerce breaches, affected stores may face:
| Cost Category | Estimated Range (per store) |
|---|---|
| Incident Response | $10,000 – $50,000 |
| Forensic Investigation | $15,000 – $75,000 |
| Customer Notification | $5,000 – $25,000 |
| Legal Fees | $20,000 – $100,000 |
| Regulatory Fines | $50,000 – $500,000+ |
| Revenue Loss | Varies significantly |
| Reputation Recovery | $50,000 – $250,000 |
| Total Estimated Cost | $150,000 – $1,000,000+ |
Immediate Action Required
Security Recommendations Checklist
| Priority | Action | Timeframe | Status |
|---|---|---|---|
| ☐ CRITICAL | Apply Adobe security patches immediately | Within 24 hours | Pending |
| ☐ CRITICAL | Scan for indicators of compromise (IOCs) | Within 24 hours | Pending |
| ☐ CRITICAL | Block identified malicious IP addresses | Within 4 hours | Pending |
| ☐ HIGH | Review all customer session files for webshells | Within 48 hours | Pending |
| ☐ HIGH | Audit recent file uploads to /customer/address_file/ | Within 48 hours | Pending |
| ☐ HIGH | Implement Web Application Firewall (WAF) rules | Within 72 hours | Pending |
| ☐ MEDIUM | Force password resets for all admin accounts | Within 1 week | Pending |
| ☐ MEDIUM | Enable multi-factor authentication (MFA) | Within 1 week | Pending |
| ☐ MEDIUM | Conduct comprehensive security audit | Within 2 weeks | Pending |
| ☐ LOW | Review and update incident response plan | Within 1 month | Pending |
Patch Information
Adobe Commerce Patched Versions:
- Adobe Commerce 2.4.7-p2
- Adobe Commerce 2.4.6-p7
- Adobe Commerce 2.4.5-p9
- Adobe Commerce 2.4.4-p10
Magento Open Source Patched Versions:
- Magento Open Source 2.4.7-p2
- Magento Open Source 2.4.6-p7
- Magento Open Source 2.4.5-p9
- Magento Open Source 2.4.4-p10
Update Command:
composer require magento/product-community-edition=<version> --no-update
composer update
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento cache:flush
Detection and Response
Indicators of Compromise (IOCs)
Network Indicators:
| IOC Type | Value | Description |
|---|---|---|
| IP Address | 34.227.25.4 | Attack source |
| IP Address | 44.212.43.34 | Attack source |
| IP Address | 54.205.171.35 | Attack source |
| IP Address | 155.117.84.134 | Attack source |
| IP Address | 159.89.12.166 | Attack source |
| File Path | /customer/address_file/upload | Exploit endpoint |
| File Path | /var/session/* | Webshell location |
| HTTP Pattern | phpinfo() requests | Reconnaissance activity |
Log Analysis Commands
Check for Suspicious Access:
# Review access logs for exploit attempts
grep -i "customer/address_file/upload" /var/log/apache2/access.log
# Search for phpinfo probes
grep -i "phpinfo" /var/log/apache2/access.log
# Check for suspicious IP addresses
grep -E "34.227.25.4|44.212.43.34|54.205.171.35|155.117.84.134|159.89.12.166" /var/log/apache2/access.log
Scan for Webshells:
# Find recently modified PHP files in session directory
find /var/session -name "*.php" -mtime -7 -ls
# Search for suspicious PHP patterns
grep -r "eval\|base64_decode\|system\|exec\|shell_exec" /var/session/
Industry Response and Expert Commentary
Security Researcher Insights
Blaklis (CVE-2025-54236 Discoverer):
“The nested deserialization vulnerability in SessionReaper represents a fundamental flaw in how Magento handles user input through its REST API. The ease of exploitation combined with the potential impact makes this one of the most dangerous vulnerabilities we’ve seen in e-commerce platforms this year.”
Sansec Advisory
According to Sansec’s research team:
“PHP backdoors are uploaded via ‘/customer/address_file/upload’ as a fake session. The speed and coordination of these attacks suggest an organized threat actor with significant resources. Store owners must act immediately to protect their customers and business.”
Long-Term Security Recommendations
Building a Resilient E-commerce Security Posture
| Security Layer | Implementation | Expected Benefit |
|---|---|---|
| Patch Management | Automated security updates | 95% vulnerability reduction |
| WAF Deployment | Cloud-based or on-premise | 70-80% attack blocking |
| Runtime Protection | RASP solutions | Real-time threat detection |
| File Integrity Monitoring | Continuous scanning | Immediate tampering detection |
| Security Audits | Quarterly penetration testing | Proactive vulnerability discovery |
| Incident Response Plan | Documented procedures | 50% faster incident resolution |
| Employee Training | Security awareness programs | 60% reduction in human error |
| Access Controls | Least privilege + MFA | 99% unauthorized access prevention |
Investment in Security
Research shows that e-commerce stores investing in comprehensive security measures experience:
- 85% fewer successful breaches
- 60% lower incident response costs
- 40% faster recovery times
- Higher customer trust and retention
The Broader E-commerce Threat Landscape
2025 E-commerce Security Statistics
| Metric | Value | Change from 2024 |
|---|---|---|
| Average Cost of E-commerce Breach | $4.35 million | +8% |
| Time to Identify Breach | 287 days | -5 days |
| Time to Contain Breach | 80 days | +3 days |
| Malware on E-commerce Sites | 42% increase | +42% |
| Payment Card Skimmers Detected | 18,000+ | +25% |
| API-Related Vulnerabilities | 35% of all incidents | +15% |
Top E-commerce Attack Vectors (2025)
| Rank | Attack Vector | Frequency | Avg. Impact |
|---|---|---|---|
| 1 | Unpatched Vulnerabilities | 38% | Critical |
| 2 | Credential Stuffing | 22% | High |
| 3 | SQL Injection | 15% | Critical |
| 4 | Third-Party Plugins | 12% | Medium-High |
| 5 | API Abuse | 8% | High |
| 6 | Social Engineering | 5% | Medium |
Regulatory and Compliance Implications
Potential Violations
Stores compromised through CVE-2025-54236 may face regulatory scrutiny under:
| Regulation | Jurisdiction | Potential Penalties |
|---|---|---|
| GDPR | European Union | Up to €20M or 4% annual revenue |
| PCI-DSS | Global (payment cards) | Fines + loss of processing ability |
| CCPA | California, USA | Up to $7,500 per violation |
| PIPEDA | Canada | Up to $100,000 per violation |
| LGPD | Brazil | Up to 2% revenue (max 50M BRL) |
Compliance Requirements After Breach
- Notification Timeline:
- GDPR: 72 hours to notify authorities
- State laws (US): 30-90 days to notify customers
- PCI-DSS: Immediate notification to payment brands
- Documentation Requirements:
- Detailed incident timeline
- Scope and impact assessment
- Remediation measures taken
- Prevention strategies implemented
Conclusion and Key Takeaways
The exploitation of CVE-2025-54236 (SessionReaper) represents a critical moment for the e-commerce industry. With over 250 stores compromised in just 24 hours and 62% of Magento installations remaining vulnerable, the urgency for immediate action cannot be overstated.
Critical Action Items:
✅ Apply security patches immediately – This is not optional
✅ Scan for compromise indicators – Assume breach until proven otherwise
✅ Implement defense-in-depth – One layer of security is insufficient
✅ Develop incident response capabilities – Be prepared for the worst
✅ Invest in continuous monitoring – Detection speed matters
The Bottom Line
The recurring pattern of critical vulnerabilities in Magento platforms, combined with slow patch adoption rates, creates a perfect storm for cybercriminals. Store owners must prioritize security as a business imperative, not an IT afterthought.
The cost of prevention is always lower than the cost of a breach.
Additional Resources
Official Security Advisories
- Adobe Security Bulletin (APSB25-XX)
- Sansec SessionReaper Analysis
- Searchlight Cyber Technical Analysis
Security Tools and Services
- Magento Security Scan: https://account.magento.com/scanner
- Malware Removal Service
- OWASP Security Testing Guide: Comprehensive security testing methodology
Emergency Contact Information
Adobe Security Response Team: psirt@adobe.com Sansec Emergency Support: Via their website Your Hosting Provider: Contact for immediate firewall updates or use our website security services
Last Updated: October 2025 Threat Level: CRITICAL – Active Exploitation Recommended Action: IMMEDIATE
Disclaimer: This analysis is based on publicly available information at the time of writing. The situation is rapidly evolving, and organizations should monitor official channels for the latest updates and guidance.