SessionReaper attacks have started, 3 in 5 stores still vulnerable
by Sansec Forensics Team
Published in Threat Research − October 22, 2025
Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. Sansec Shield blocked dozens of attacks today. With only 38% of stores patched and exploit details now public, mass abuse will follow in the coming hours.
Six weeks after Adobe's emergency patch for SessionReaper (CVE-2025-54236), the vulnerability has entered active exploitation. Sansec Shield detected and blocked the first real-world attacks today, which is bad news for the thousands of stores that remain unpatched.
Security researchers at Assetnote published a detailed technical analysis of the vulnerability today, demo'ing the nested deserialization flaw that enables remote code execution. With proof-of-concept code circulating, the window for safe patching has effectively closed.
3 in 5 stores remain vulnerable
When we first reported on SessionReaper in September, fewer than one in three Magento stores had been patched. Six weeks later, that figure has barely improved: only 38% of stores are now protected. This means that 62% of Magento stores remain vulnerable to a critical remote code execution attack with publicly available exploit details.
For context, SessionReaper is comparable in severity to CosmicSting (2024), TrojanOrder (2022), and Shoplift (2015). Each of these vulnerabilities led to thousands of compromised stores, often within hours of exploit publication.
With exploit details now public and active attacks already observed, we expect mass exploitation within the next 48 hours. Automated scanning and exploitation tools typically emerge quickly after technical writeups are published, and SessionReaper's high impact makes it an attractive target for attackers.
See the full SessionReaper timeline in our initial article.
Immediate action required
If you are already using Sansec Shield, you have been protected against SessionReaper attacks since the initial discovery in September. No further action is needed.
If you are not using Sansec Shield, you must act immediately:
- Deploy the patch now: Test and deploy the patch or upgrade to the latest security release. Adobe's developer guide provides instructions.
- Activate WAF protection: If you cannot deploy the patch immediately, activate a web application firewall. Sansec Shield blocks SessionReaper attacks.
- Scan for compromise: If you delayed patching, run a malware scanner like eComscan to check for signs of compromise.
Active exploitation
Sansec tracks ecommerce attacks in real-time around the globe. Today we blocked over 250 SessionReaper exploitation attempts in the wild targeting multiple stores. We will update this article as new details about attack patterns and methods emerge.
Attacks are coming from the following IPs.
34.227.25.4
44.212.43.34
54.205.171.35
155.117.84.134
159.89.12.166
Attack payloads so far contained PHP webshells or phpinfo probes.
Read more
In this article
Patch on your own terms?
Protect your store from all known Magento attacks, while you postpone the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
