Executive Summary

A critical vulnerability in Adobe Commerce and Magento, tracked as CVE-2025-54236, is under active attack. The flaw, nicknamed 'SessionReaper,' allows an unauthenticated attacker to hijack administrator and user sessions without any user interaction. Attackers are exploiting this to deploy PHP web shells, granting them persistent access and full control over compromised e-commerce sites. On October 24, 2025, CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of in-the-wild exploitation. With a large percentage of stores still vulnerable, there is a high risk of widespread compromise, data theft, and financial loss for online retailers.

Vulnerability Details

CVE-2025-54236 is an improper input validation vulnerability affecting the REST API of Adobe Commerce and Magento. An unauthenticated attacker can send a specially crafted request to the API to hijack an existing, valid user session. The attack requires no privileges and no interaction from the targeted user, making it highly dangerous and easy to automate. The specific mechanism involves manipulating session validation logic, allowing the attacker to assume the identity and privileges of the hijacked session, which could include an administrator account.

Affected Systems

The vulnerability impacts the following versions:

• Adobe Commerce / Magento 2.4.4-p15 and earlier
• Adobe Commerce / Magento 2.4.9-alpha2 through 2.4.4-p15

According to security researchers, over 60% of scanned Magento installations were found to be unpatched, indicating a vast attack surface.

Exploitation Status

The vulnerability is being actively exploited. Attackers have been observed using the session hijacking capability to gain administrative access to the backend of Magento stores. Once access is achieved, they deploy PHP web shells, a common tactic for establishing persistence (T1505.003 - Server Software Component: Web Shell). This allows the attacker to execute arbitrary commands on the server, steal customer data, install credit card skimmers, or deface the website. The inclusion in CISA's KEV catalog underscores the real-world threat and mandates that U.S. federal agencies patch by a specified deadline.

Impact Assessment

A successful exploit of CVE-2025-54236 can be catastrophic for an e-commerce business:

• Full Store Takeover: Hijacking an admin session gives the attacker complete control over the store, including products, orders, and customer data.
• Customer Data Theft: Attackers can access and exfiltrate sensitive customer information, including names, addresses, and potentially stored payment details, leading to significant privacy violations and regulatory fines (e.g., GDPR, CCPA).
• Financial Fraud: Compromised stores can be used to install digital skimming malware (Magecart-style attacks) that steals credit card information from customers during checkout.
• Reputational Damage: A public breach can destroy customer trust and lead to long-term financial losses.

Detection & Response

• Web Server Log Analysis: Security teams should urgently review web server and API logs for unusual or malformed requests to the REST API endpoints. Look for patterns that do not match legitimate application traffic. This aligns with Web Session Activity Analysis (D3-WSAA).
• File Integrity Monitoring (FIM): Implement FIM to monitor for the creation of new or modified PHP files in web-accessible directories. An unexpected PHP file is a strong indicator of a web shell deployment. This is a form of File Analysis (D3-FA).
• Threat Hunting: Proactively hunt for common web shell filenames (e.g., info.php, c99.php, r57.php) and use grep or similar tools to search for suspicious functions like eval(), base64_decode(), system(), or shell_exec() within your web root.

Mitigation

1. Apply Security Updates: The primary and most critical mitigation is to apply the security patches provided by Adobe immediately. This is a form of Software Update (D3-SU).
2. Restrict API Access: If patching is not immediately possible, restrict access to the REST API endpoints (/api/) to only trusted IP addresses. This can be done at the web server (e.g., Nginx, Apache) or firewall level. This is a temporary compensating control and not a substitute for patching.
3. Regular Security Scans: Use vulnerability scanners specifically configured to detect Magento and Adobe Commerce vulnerabilities to ensure all components are up to date and properly configured.
4. Review Admin Accounts: Regularly review administrator accounts for suspicious activity and enforce strong, unique passwords and MFA where available.