Adobe Magento SessionReaper Flaw Actively Exploited by Hackers

[johny899]

Have you heard of the SessionReaper bug? If you have an Adobe Commerce (formerly Magento) store, this is important to know. According to researchers at Sansec, hackers have been seen exploiting this critical vulnerability, which has an official ID of CVE-2025-54236, and hundreds of attacks have been seen already.

What is SessionReaper?​

SessionReaper is an important weakness in Adobe Commerce due to input validation issues in specific versions - 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, and below. The scary part is that hackers are able to compromise customer accounts without even a click. It basically allows hackers to take over sessions through the Commerce REST API, given that the store is using default session storage, which is customary.

How Hackers Are Taking Advantage of It​

Sansec reported that hackers were already actively attacking stores only six weeks after Adobe released an emergency patch. In a single day, they recorded over 250 attacks from only five IP addresses, including:

• 34.227.25.4
• 44.212.43.34
• 54.205.171.35
• 155.117.84.134
• 159.89.12.166

These attacks include PHP webshells or probes using phpinfo() type checks to learn about the server settings and find vulnerabilities that can be exploited. Furthermore, a technical assessment by Searchlight Cyber could spur many more hackers to do the same, which we believe raises the need for expedited patching even more.

Why So Many Stores Are Still Vulnerable​

The startling news is that approximately 62% of Magento stores still did not apply the update. It should also be noted that only a third of websites had updated the update 10 days after the patch had gone out, which means that 3 out of 5 stores are still vulnerable, giving attackers over a week in which they could attack the back end of your store.

What You Should Do​

If you are the administrator for a stores Adobe Commerce store, you should not waste time—apply the patch, or Adobe's recommended mitigations, immediately. Failing to patch this security bug puts your store at risk of customer accounts being taken over or sensitive customer data stolen, in addition to a possibility of malicious code being injected to the store.

This begs the question—why are business owners still ignoring important updates? Typically, it's simply a matter of neglect or fear of losing their carefully configured custom setup. However, when the risk is this high, that fear seems inconsequential in contrast to the environmental changes associated with the bug fix.

Bottom Line​

The SessionReaper bug is likely one of the most considerable security bugs in the history of Adobe Magento. Hackers are actively exploiting the bug, which leaves store owners to react as quickly as possible to avoid falling victim to the exploit. Owners should apply the patch, monitor their stores for atypical behavior, and engage with Adobe forums or announcements to respond quickly, because in the world of e-commerce, a small vulnerability can of course, cost a fortune.