Hackers are actively exploiting a critical vulnerability in Adobe Commerce (formerly Magento), tracked as CVE-2025-54236 aka SessionReaper. Sansec researchers have confirmed that the bug has been in active exploitation for roughly six weeks after Adobe issued an emergency patch.
“Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. Sansec Shield blocked dozens of attacks today. With only 38% of stores patched and exploit details now public, mass abuse will follow in the coming hours,” the company said in an advisory.
Adobe first warned about the flaw on September 8, describing it as an improper input validation vulnerability affecting multiple Commerce versions, including 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, and 2.4.4-p15 (and earlier). Successful exploitation allows attackers to take control of customer sessions without user interaction, potentially compromising accounts through the Commerce REST API.
According to Sansec, more than 250 exploitation attempts have been detected targeting multiple stores, with most attacks traced to five IP addresses. The observed payloads included PHP webshells and phpinfo probes used to gather configuration data and identify exploitable systems.
Sansec estimates that 62% of Magento-based online stores remain unpatched.
“With exploit details now public and active attacks already observed, we expect mass exploitation within the next 48 hours. Automated scanning and exploitation tools typically emerge quickly after technical writeups are published, and SessionReaper's high impact makes it an attractive target for attackers,” the researchers have warned.
System administrators are strongly advised to apply Adobe’s security update or implement the company’s recommended mitigations as soon as possible to prevent compromise.