Adobe “Sessionreaper” Vulnerability Moves From Proof-Of-Concept To Actual Exploitation

In the wake of publication of the “SessionReaper” vulnerability (CVE-2025-54236) for Adobe Commerce, attackers have begun exploiting it in the wild. A patch was issued at the time of public disclosure, but organizations have reportedly been slow to apply it and criminals have been taking advantage.

The vulnerability is named for its ability to hijack sessions without any user interaction. Dutch security firm Sansec has been monitoring the issue and believes that publication of a full technical analysis of the vulnerability by cybersecurity vendor Assetnote triggered the initial wave of exploitation attempts in the wild.

Attackers follow public roadmap in attempts to exploit SessionReaper

CVE-2025-54236 impacts Adobe Commerce and Magento open source versions. It was publicly disclosed (along with a patch) on September 9 2025, with a follow-up detailed technical breakdown by Assetnote appearing in late October. The added detail by Assetnote appears to have helped attackers springboard into putting the theoretical attack into actual use in the wild, according to a blog post by cyber defense firm Sansec.

Sansec added that ongoing exploitation was a problem as, despite immediate availability of a patch for the vulnerability, only 38% of e-commerce platforms had applied it as of a little over a month later. The company said that its Sansec Shield product logged over 250 attempted SessionReaper attacks against an assortment of online stores using Magento in the earliest days of known in-the-wild exploitation of the vulnerability. The initial wave of attacks also came from just five IP addresses, but rapidly expanded to 97. Sansec believes that this is due to multiple attackers piling in as evidenced by a variety of payloads of varying sophistication and functionality.

Magecart attacks continue to be a serious problem

While the Adobe Commerce version offers clients automatic patching, the Magento installation requires patches of this sort to be manually kept up with. Hundreds of thousands of e-commerce websites continue to use Magento, which means a significant target base that hackers are usually quick to exploit when word of a vulnerability gets around. The open source installation continues to be widely used as it not only allows for avoiding licensing fees, but offers greater control over implementation.

One of the most popular approaches by hackers that breach online shopping carts is to inject a trojan that quietly skims payment information from customer orders on an ongoing basis. The attacks can be difficult to detect because the actual theft happens in the customer’s browser. The attacks were originally named for a group that specialized in them, but they are now perpetrated by numerous threat actors.

Sansec notes that SessionReaper is most readily exploited in instances that use file-based session storage. However, other instances (such as those backed by Redis) can also potentially be exploited with a little more work. In addition to ensuring the patch is installed, the security researchers advise deploying a WAF to protect instances and scan for signs of compromise; initial payloads may be detected by monitoring for PHP Web shells or phpinfo probes.