Executive Summary

Over the course of a single night, more than 250 e-commerce sites running Magento and Adobe Commerce were compromised by threat actors exploiting a newly disclosed critical vulnerability, CVE-2025-54236 (dubbed "SessionReaper"). This flaw, which resides in the Adobe Commerce REST API, enables unauthenticated remote code execution and account takeover. Despite the release of a security patch by Adobe over six weeks ago, a significant portion of the global Magento ecosystem remains unpatched, leaving thousands of online retailers exposed to active exploitation. The attack campaign demonstrates a high degree of automation and technical sophistication, leveraging public proof-of-concept code and targeting a broad swath of the e-commerce sector. The incident underscores the urgent need for rapid patch management and continuous monitoring of public-facing applications.

Threat Actor Profile

The current exploitation wave is attributed to unidentified cybercriminal groups rather than a known Advanced Persistent Threat (APT). Analysis of attack infrastructure and tactics suggests the involvement of financially motivated actors with a focus on mass exploitation and monetization through webshell deployment, data exfiltration, and potential resale of compromised access. The attackers demonstrate proficiency in exploiting deserialization vulnerabilities and automating attacks at scale. No direct links to nation-state actors or established ransomware groups have been observed at this stage. The campaign is opportunistic, targeting any vulnerable Magento or Adobe Commerce instance globally, with no evidence of sector-specific targeting beyond the e-commerce vertical.

Technical Analysis of Malware/TTPs

The exploited vulnerability, CVE-2025-54236, is a critical improper input validation and nested deserialization flaw in the Adobe Commerce and Magento Open Source REST API, specifically affecting the /customer/address_file/upload endpoint. Attackers craft malicious serialized payloads that, when processed by the vulnerable API, result in arbitrary PHP object instantiation and code execution. This enables the upload of persistent PHP webshells, such as variants of WSO and b374k, granting attackers full remote access to the underlying server.

The attack chain typically begins with automated scanning for exposed and unpatched endpoints. Upon identification, the threat actor sends a specially crafted POST request to the vulnerable API, bypassing authentication controls and triggering the deserialization flaw. Successful exploitation results in the deployment of a webshell, which is then used to enumerate the environment, extract sensitive configuration data (including database credentials and API keys), and establish additional persistence mechanisms. In several observed cases, attackers have leveraged the initial foothold to hijack customer accounts, manipulate order data, and exfiltrate personally identifiable information (PII).

Indicators of compromise include unauthorized files in web-accessible directories, anomalous POST requests to /customer/address_file/upload, and connections from known malicious IP addresses such as 34.227.25[.]4, 44.212.43[.]34, 54.205.171[.]35, 155.117.84[.]134, and 159.89.12[.]166. The presence of PHP info files and unfamiliar administrative users are also strong signals of compromise.

The technical sophistication of the campaign is further evidenced by the rapid weaponization of public proof-of-concept exploits, as detailed in advisories from Searchlight Cyber and Foregenix. The attackers employ obfuscation techniques to evade signature-based detection and frequently rotate infrastructure to avoid blacklisting.

Exploitation in the Wild

The exploitation of CVE-2025-54236 has been observed at scale since the public disclosure of the vulnerability and the subsequent release of exploit code. Security researchers and threat intelligence platforms, including The Hacker News, Security Affairs, and BleepingComputer, have documented a surge in attacks beginning in mid-October 2025. The campaign is characterized by its speed and breadth, with over 250 distinct Magento and Adobe Commerce stores compromised in a 24-hour window.

Attack telemetry indicates that the majority of successful intrusions occurred on systems that had not applied the Adobe security update released in September 2025 (see Adobe Security Bulletin APSB25-88). The attackers have shown a preference for high-traffic e-commerce sites, likely to maximize the value of stolen data and access. In several cases, compromised stores were used as staging points for further attacks, including the distribution of credit card skimmers and the injection of malicious JavaScript.

The exploitation campaign is ongoing, with new victims reported daily. The availability of automated attack tools and public exploit scripts has lowered the barrier to entry, enabling less sophisticated actors to participate in the campaign. The widespread nature of the attacks highlights the critical importance of timely patching and proactive security monitoring.

Victimology and Targeting

The primary victims of this campaign are operators of online stores running unpatched versions of Magento Open Source, Adobe Commerce, and Adobe Commerce B2B. Affected versions include 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier for both Adobe Commerce and Magento Open Source, as well as 1.5.3-alpha2 and earlier for Adobe Commerce B2B.

Victims are distributed globally, with no specific geographic concentration. The attack is indiscriminate, affecting small businesses and large enterprises alike. The common denominator is the use of vulnerable Magento or Adobe Commerce installations that have not been updated in accordance with vendor guidance. The impact on victims includes website defacement, theft of customer data, disruption of business operations, and potential regulatory penalties for data breaches.

Notably, the campaign has not targeted any specific industry verticals outside of e-commerce, nor has it demonstrated a preference for particular countries or regions. The opportunistic nature of the attacks suggests that any organization operating a vulnerable instance is at risk.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2025-54236. All organizations operating Magento or Adobe Commerce platforms must apply the latest security patches provided by Adobe (see APSB25-88). Patch deployment should be prioritized for all affected versions, including 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, 2.4.4-p15 and earlier, and 1.5.3-alpha2 and earlier for Adobe Commerce B2B.

In addition to patching, organizations should conduct a comprehensive review of server logs for evidence of exploitation, focusing on anomalous POST requests to /customer/address_file/upload and connections from known malicious IP addresses. Any unauthorized PHP files or webshells discovered on the server must be removed immediately. It is also recommended to rotate all administrative and customer credentials, as attackers may have harvested authentication data during the intrusion.

Further countermeasures include implementing web application firewalls (WAFs) with rules to block suspicious API requests, restricting access to sensitive endpoints, and enabling multi-factor authentication (MFA) for all administrative accounts. Regular vulnerability scanning and penetration testing should be conducted to identify and remediate potential weaknesses before they can be exploited.

Organizations are encouraged to monitor threat intelligence feeds and subscribe to vendor security advisories to stay informed of emerging threats. Incident response plans should be reviewed and updated to ensure rapid containment and recovery in the event of a compromise.

References

The following sources provide additional technical details and guidance on the SessionReaper vulnerability and ongoing exploitation:

• NVD CVE-2025-54236

• Adobe Security Bulletin APSB25-88

• The Hacker News: Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw

• Security Affairs: Over 250 attacks hit Adobe Commerce and Magento via critical CVE-2025-54236 flaw

• Foregenix Security Blog

• LinkedIn Security Advisory

• Searchlight Cyber: Technical Analysis of CVE-2025-54236

• BleepingComputer: Hackers exploiting critical "SessionReaper" flaw in Adobe Magento

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization, we are happy to answer questions at ops@rescana.com.