Quick Takeaways
-
A critical Adobe Commerce vulnerability, "SessionReaper" (CVE-2025-54236), allows attackers to bypass security and take over sessions remotely, prompting emergency updates following its disclosure on Sept. 9.
-
Dutch security firm Sansec reported increasing exploitation activity, with over 250 attacks blocked against various stores, and only 38% of e-commerce platforms patched a month post-disclosure.
-
With the release of a proof-of-concept exploit, Sansec warns that the window for safe patching is closing, anticipating mass exploitation within 48 hours.
- Adobe Commerce users are urged to apply the emergency update, deploy a Web Application Firewall, and monitor for specific attack patterns involving PHP Web shells and phpinfo probes.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Fear the ‘SessionReaper’: Adobe Bug Under Attack’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
A critical vulnerability in Adobe Commerce known as “SessionReaper” has come under attack amid the release of a proof-of-concept exploit.
CVE-2025-54236, an improper input validation flaw, was disclosed on Sept. 9 and patched via an emergency update for Adobe Commerce (formerly Magento) and Magento open source versions. If exploited, attackers can bypass security features and remotely take over Adobe Commerce sessions without any user interaction — hence the name “SessionReaper.”
In a blog post published on Wednesday, Dutch security firm Sansec said it detected exploitation activity for SessionReaper. In an updated advisory for CVE-2025-54236, Adobe confirmed that the flaw had been exploited in the wild.
Worse, Sansec’s digital forensics team said that just 38% of e-commerce platforms are patched for SessionReaper more than a month after it was first disclosed.
SessionReaper Proof-of-Concept Published
According to Sansec, exploitation activity for SessionReaper began Wednesday. The company said it blocked more than 250 attempted attacks against multiple stores with its Magento-focused Sansec Shield Web application firewall (WAF).
Sansec also noted that researchers for cybersecurity vendor Assetnote published a full technical analysis and proof-of-concept exploit for SessionReaper on Wednesday. It’s unclear if the exploitation attempts that Sansec blocked used Assetnote’s PoC.
“We don’t have direct evidence to support this, but we have been running monitors across 10% of the install base since early September, and have not observed any attacks until the day of the Assetnote publication,” Sansec founder Willem de Groot tells Dark Reading.
Additionally, exploitation activity appears to be increasing. While attack attempts initially stemmed from just five IP addresses, de Groot says the threat activity has now extended to 97 different IPs. “We have logged several distinct attack payloads, which suggests that multiple actors are running mass scanners right now,” he says. “It seems that some threat actors are struggling to create a working attack chain, while others have managed to produce functioning attack methods.”
Fortifying Defenses Against the ‘Reaper’
Whatever the source of the exploitation attempts is, Sansec said in its report that “the window for safe patching has effectively closed,” and advised Adobe Commerce customers to take immediate action.
“With exploit details now public and active attacks already observed, we expect mass exploitation within the next 48 hours,” Sansec wrote. “Automated scanning and exploitation tools typically emerge quickly after technical writeups are published, and SessionReaper’s high impact makes it an attractive target for attackers.”
Besides applying the emergency update, Sansec recommended that Adobe Commerce customers deploy a WAF to protect their instances and to scans for signs of compromise. Sansec also noted that initial payloads in attacks on CVE-2025-54236 featured PHP Web shells or phpinfo probes, so customers should monitor for such activity.
Adobe acquired Magento in 2018 and since that time the platform, later renamed, has been increasingly targeted by threat actors. Much of the threat activity comes from Magecart attacks, which specializes in credit card skimming and data theft from online stores.
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Expand Your Tech Knowledge
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Discover archived knowledge and digital history on the Internet Archive.
CyberRisk-V1
