A critical vulnerability known as CVE-2025-54236, or SessionReaper, affects multiple versions of Adobe Commerce and Magento Open Source, allowing attackers to take over customer accounts through improper input validation.

Despite a security patch released on September 9, over 62% of Magento stores remained unpatched six weeks later, and exploits have been spreading rapidly following the publication of proof-of-concept code.

Cybercriminals have attempted over 250 exploit attempts recently, primarily using PHP webshells and phpinfo probes, as cybersecurity experts warn that exploitation activity is expected to surge.

Sansec and other cybersecurity firms strongly recommend that site administrators urgently deploy patches, upgrade to the latest security releases, and scan their systems for signs of compromise.

The public disclosure of technical details about SessionReaper has facilitated the development of automated attack tools, leading to a rapid increase in exploitation activity.

The flaw exploits improper validation of serialized data, enabling attackers to accept malicious session files without authentication, which can lead to account takeovers and data theft.

Adobe has confirmed that the vulnerability is actively being exploited in the wild, emphasizing the urgent need for website owners to patch their systems to prevent breaches.

The presence of proof-of-concept exploits in the wild underscores the critical importance of applying patches promptly to avoid further exploitation and potential data breaches.

Consumers are advised to exercise caution on suspicious websites, avoid entering sensitive information on untrusted sites, use third-party payment options like PayPal, and keep their systems updated.

Successful exploitation of CVE-2025-54236 can lead to customer account takeovers, data theft, fraudulent orders, security bypasses, remote code execution, and malware injection.

Attackers are deploying PHP webshells and probing phpinfo files to extract configuration data, further compromising affected sites.

Sansec urges all Magento store operators to immediately apply patches and conduct scans to detect and remove malicious backdoors, given the active exploitation of this flaw.

Attacks originate from multiple IP addresses, indicating either multiple threat actors or a single actor using VPNs, proxies, or compromised machines to conceal their identity.