Executive Summary

A critical vulnerability, designated as SessionReaper (CVE-2024-34102), has been identified in Adobe Magento (also known as Adobe Commerce), a leading e-commerce platform. This flaw enables unauthenticated remote attackers to hijack active user sessions and, in many cases, achieve full account takeover or remote code execution (RCE) on vulnerable servers. Since the public disclosure and release of proof-of-concept (POC) exploit code, threat actors have rapidly weaponized the vulnerability, targeting unpatched Magento installations globally. The exploitation campaign is ongoing, with hundreds of attacks observed daily, and the majority of affected stores remain unpatched. This report provides a comprehensive technical analysis of the SessionReaper vulnerability, the tactics and procedures used by adversaries, observed exploitation in the wild, victimology, and actionable mitigation guidance.

Threat Actor Profile

The exploitation of SessionReaper is being conducted by a mix of financially motivated cybercriminals and opportunistic threat actors specializing in e-commerce compromise. Analysis of attack infrastructure and TTPs indicates involvement from established Magecart-style groups, known for web skimming and card data theft, as well as actors focused on deploying webshells for persistent access and monetization through ransomware or data exfiltration. No direct attribution to a specific Advanced Persistent Threat (APT) group has been made as of this writing. The attack pattern is consistent with groups leveraging automated scanning, mass exploitation, and rapid post-exploitation pivoting to monetize compromised stores.

Technical Analysis of Malware/TTPs

The SessionReaper vulnerability (CVE-2024-34102) arises from improper input validation and insecure session management within the Adobe Magento REST API. Specifically, the flaw allows an attacker to craft malicious API requests that manipulate session data stored on the server’s file system (the default configuration for most Magento deployments). By exploiting this weakness, an unauthenticated attacker can enumerate, hijack, and impersonate active user sessions, including those of administrative users.

The attack chain typically begins with reconnaissance, where the adversary scans for exposed Magento endpoints and determines the session storage mechanism. Once a target is identified, the attacker sends specially crafted REST API requests that exploit the deserialization flaw, enabling arbitrary session file access. If successful, the attacker can inject malicious PHP code or directly upload webshells, such as variants of WSO, C99, or custom lightweight shells, into the webroot. These webshells provide persistent remote access, command execution, and facilitate further lateral movement or data theft.

Observed Tactics, Techniques, and Procedures (TTPs) include the use of automated scripts to enumerate vulnerable stores, exploitation via the REST API, deployment of PHP webshells, execution of phpinfo() probes to gather environment details, and exfiltration of sensitive data. Attackers have also been seen leveraging compromised sessions to escalate privileges, create new administrative accounts, and disable security plugins.

Relevant MITRE ATT&CK techniques include T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell), and T1071.001 (Web Protocols for C2 communication).

Exploitation in the Wild

Active exploitation of SessionReaper was first detected within days of the public disclosure and the release of a hotfix by Adobe. Security researchers from Sansec and BleepingComputer have documented a surge in attacks, with over 250 exploitation attempts blocked in a single day on monitored stores. Attackers are leveraging both public and private exploit code, with some campaigns using infrastructure previously associated with Magecart and other e-commerce threat actors.

The exploitation is highly automated, with attackers scanning for vulnerable endpoints and launching mass exploitation attempts. The majority of attacks originate from cloud-hosted IP addresses and bulletproof hosting providers, including but not limited to 34.227.25.4, 44.212.43.34, 54.205.171.35, 155.117.84.134, and 159.89.12.166. Attackers are observed deploying webshells, modifying core Magento files, and in some cases, exfiltrating customer databases and payment card data.

Security monitoring has also detected the use of phpinfo.php probes, which attackers use to confirm successful exploitation and gather system configuration details. In several incidents, attackers have chained SessionReaper with other vulnerabilities to achieve deeper persistence or escalate privileges.

Victimology and Targeting

The primary victims of SessionReaper exploitation are e-commerce businesses operating unpatched Adobe Magento or Adobe Commerce platforms. The attacks are global in scope, with no specific geographic or sectoral targeting. However, organizations with high transaction volumes, large customer databases, or those operating in regions with a high density of Magento deployments (such as North America, Europe, and Asia-Pacific) are disproportionately affected.

Victims include small and medium-sized online retailers, large e-commerce brands, and digital goods providers. The impact ranges from customer account compromise and data theft to full site defacement, ransomware deployment, and regulatory exposure due to payment card data breaches. In several documented cases, attackers have used compromised stores to launch further attacks against customers and supply chain partners.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by SessionReaper. All organizations running Adobe Magento or Adobe Commerce must apply the official security patches released in Adobe Security Bulletin APSB24-88 without delay. Patching closes the deserialization and session management flaws exploited by attackers.

Administrators should audit their webroot directories for unauthorized PHP files, especially webshells and phpinfo.php scripts. Monitoring for unusual REST API activity, unexpected session file access, and connections from known malicious IP addresses (such as 34.227.25.4, 44.212.43.34, 54.205.171.35, 155.117.84.134, and 159.89.12.166) is strongly recommended.

Where feasible, organizations should migrate session storage from the file system to a secure, database-backed or memory-based solution, reducing the attack surface. Enabling and properly configuring a Web Application Firewall (WAF) can help block exploit attempts and detect anomalous traffic patterns.

Regularly review and update administrative user accounts, enforce strong authentication (preferably multi-factor authentication), and ensure that all third-party extensions are up to date and sourced from reputable vendors. Conduct post-incident forensics if compromise is suspected, and notify affected customers and partners as required by law.

References

Sansec: SessionReaper attacks have started, 3 in 5 stores still vulnerable

BleepingComputer: Hackers exploiting critical "SessionReaper" flaw in Adobe Magento

The Hacker News: Over 250 Magento Stores Hit Overnight as Hackers Exploit New Flaw

Security Affairs: Over 250 attacks hit Adobe Commerce and Magento via critical CVE-2024-34102 flaw

Greenbone: SessionReaper: Account Takeover and Unauthenticated RCE in Magento and Adobe Commerce

Adobe Security Bulletin: APSB24-88

NVD Entry: CVE-2024-34102

About Rescana

Rescana is a leader in third-party risk management (TPRM) and cyber risk intelligence. Our platform empowers organizations to continuously monitor, assess, and mitigate cyber threats across their digital supply chain. By leveraging advanced analytics and real-time threat intelligence, Rescana helps businesses stay ahead of emerging vulnerabilities and maintain robust security postures. For more information or to discuss how we can support your organization’s cybersecurity needs, we are happy to answer questions at ops@rescana.com.