SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploitation of Critical Adobe Commerce Flaw Puts Many eCommerce Sites at Risk

Patched in September, the SessionReaper bug could be exploited without authentication to bypass a security feature.
Adobe vulnerabilities

Hackers have started exploiting a critical-severity vulnerability in Adobe Commerce and Magento Open Source, cybersecurity firm Sansec reports.

Tracked as CVE-2025-54236 (CVSS score of 9.1), the flaw is described as an improper input validation issue leading to security feature bypass.

On September 9, Adobe released hotfixes for the security defect, urging users of Commerce and Magento Open Source versions between 2.4.4 and 2.4.7 to update their deployments.

Sansec warned at the time that threat actors were likely working on weaponizing the bug, referred to as SessionReaper, after Adobe’s patch leaked one week before the hotfix was released.

Now, Sansec says active exploitation of CVE-2025-54236 has started, with roughly 250 attacks observed on Wednesday. The identified payloads contained PHP webshells and phpinfo probes.

The exploitation activity is expected to surge fast, as less than half of the ecommerce sites have been patched against the vulnerability.

Advertisement. Scroll to continue reading.

Furthermore, on Wednesday, Searchlight Cyber published technical information on SessionReaper and its exploitation, which are expected to fuel the bug’s in-the-wild targeting.

“With exploit details now public and active attacks already observed, we expect mass exploitation within the next 48 hours. Automated scanning and exploitation tools typically emerge quickly after technical writeups are published, and SessionReaper’s high impact makes it an attractive target for attackers,” Sansec notes.

The cybersecurity firm points out that only 38% of stores have applied Adobe’s hotfix, meaning that 62% of the Magento stores are at risk.

One of the main issues with the security defect, Adobe warned roughly a month ago, is the fact that it could lead to customer account takeover through the Commerce REST API.

On Wednesday, Adobe updated its advisory to confirm the security defect’s in-the-wild exploitation. “Adobe is aware of CVE-2025-54236 being exploited in the wild,” the update reads.

Related: Organizations Warned of Exploited Adobe AEM Forms Vulnerability

Related: Lanscope Endpoint Manager Zero-Day Exploited in the Wild

Related: TARmageddon Flaw in Popular Rust Library Leads to RCE

Related: Government, Industrial Servers Targeted in China-Linked ‘PassiveNeuron’ Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Neill Feather has been named Chief Executive Officer at Point Wild.

Oasis Security has appointed Michael DeCesare as President.

Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.