SessionReaper RCE Vulnerability Puts Magento Stores at Risk

SessionReaper is a critical unauthenticated remote code execution (RCE) vulnerability in Magento and Adobe Commerce platforms, first disclosed in September 2025. It abuses a nested deserialization flaw, allowing attackers to execute arbitrary code on unpatched ecommerce servers. As of October 22, 2025, active exploitation of this vulnerability has begun, putting thousands of online stores at immediate risk. Despite the availability of a patch from Adobe, 62% of Magento stores remain unprotected.

Severity: Critical

Vulnerability Details

• Vulnerability ID: CVE-2025-54236
• Vulnerability Type: Unauthenticated Remote Code Execution (RCE)
• Platforms Affected: Magento, Adobe Commerce
• Affected versions:
  • Adobe Commerce: 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, 2.4.4-p15 and earlier
  • Adobe Commerce B2B: 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, 1.3.3-p15 and earlier
  • Magento Open Source: 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier
• CVSS Score: 9.1
• Exploit Status: Active (First attacks detected on October 22, 2025)

Attack Methodology

1. Exploit Trigger: The vulnerability arises due to improper deserialization of nested objects in Magento’s REST API. The exploit allows remote attackers to execute arbitrary PHP code. It primarily targets stores using file-based session storage.
2. Exploitation Path: Attackers craft malicious sessions and use them to exploit the deserialization flaw, potentially bypassing authentication and taking control of the system. The vulnerability can also be leveraged to upload malicious PHP backdoors (webshells).
3. Payload Delivery: Exploit attempts typically involve sending crafted requests via API endpoints (e.g., /customer/address_file/upload). Attackers can then execute arbitrary code, compromising the system.
4. Impact:
   • Unauthenticated Access: Attackers can hijack customer accounts and execute arbitrary code.
   • Remote File Access: Attackers can modify server configurations, write files to critical locations, or even execute code on the server.
5. Exploit Availability: Public proof-of-concept (PoC) code has circulated, amplifying the risk of mass exploitation. The vulnerability is expected to be rapidly exploited, similar to previous vulnerabilities like CosmicSting (2024), TrojanOrder (2022), and Shoplift (2015), which resulted in the compromise of thousands of online stores.

Timeline of Events

• Aug 22, 2025: Adobe discusses emergency patch for SessionReaper.
• Sep 9, 2025: Adobe releases the patch for SessionReaper.
• Oct 14, 2025: Adobe releases official security patches.
• Oct 22, 2025: Attack details published; first exploitation attempts observed. Only 38% of Magento stores patched by this date.

Recommendations

1. Ensure affected Adobe Commerce and Magento Open Source products are applied with hotfix or upgraded to the latest security patch.
2. If using Custom Attributes Serializable module versions 0.1.0 – 0.3.0, update the module to version 0.4.0 or higher and proceed with applying the hotfix VULN-32437-2-4-X-patch.
3. If you cannot immediately apply the patch, ensure WAF is activated to block exploitation attempts.
4. Be vigilant for abnormal traffic patterns, file uploads, or changes to your Magento instance, especially in the customer address file upload endpoint.
5. If the patch was delayed, run malware scanners to detect signs of compromise and backdoor presence.
6. Immediately rotate any secret cryptographic keys used in the system, especially the Magento encryption keys. As leaking it would allow attackers to update your CMS blocks indefinitely.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/c6729c0b80eefd7dbdaf147b3cfd0288d0ec8e47da8fb9b0a69e93db338a6f1f/iocs

Source:

• https://sansec.io/research/sessionreaper-exploitation
• https://sansec.io/research/sessionreaper
• https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/
• https://helpx.adobe.com/security/products/magento/apsb25-88.html
• https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.