Critical Magento Flaw (CVE-2025-54236) Actively Exploited for Session Hijacking and Unauthenticated RCE

The Akamai Security Intelligence Group has issued an urgent warning after observing active exploitation in the wild of a newly disclosed Magento vulnerability known as SessionReaper (CVE-2025-54236). The flaw, rated critical, allows attackers to hijack user sessions — and, under certain conditions, achieve unauthenticated remote code execution (RCE) on vulnerable servers.

According to Akamai researchers, “Over the course of 48 hours, starting on October 22, 2025, more than 300 exploitation attempts were made against over 130 different hosts. These exploit attempts originated from 11 different IPs.”

The vulnerability, which affects Magento (now Adobe Commerce), was first revealed in an Adobe emergency patch bulletin on September 9, 2025. Within weeks, a public proof-of-concept (PoC) surfaced online, setting off a wave of automated scanning and exploitation attempts targeting ecommerce platforms across the globe.

SessionReaper, tracked as CVE-2025-54236, is an improper input validation vulnerability within Magento’s session-handling logic. Initially described as a session takeover bug, further analysis revealed that attackers could chain the flaw to execute arbitrary PHP code on unpatched servers.

Akamai’s report warns that “successful exploitation of SessionReaper can also result in unauthenticated remote code execution.”

Following the public release of the PoC exploit, Akamai’s telemetry systems detected an immediate spike in malicious traffic targeting Magento endpoints. Within two days, researchers observed a flood of reconnaissance and exploit payloads attempting to compromise exposed instances.

Among these were “classic phpinfo and echo probes, a common attacker reconnaissance measure,” as well as web shells designed for persistent server access.

These web shells, once deployed, enable attackers to manipulate Magento’s backend, exfiltrate payment data, create rogue administrator accounts, and use the compromised infrastructure as a launchpad for further intrusions.

Akamai’s report highlights that “the most damaging payloads are web shells designed to allow a threat actor to gain persistent access to the web server.”

Magento, now integrated under Adobe Commerce, powers thousands of online retail platforms, including SMBs and large-scale enterprise storefronts. Its popularity, combined with a history of exploitable flaws, makes it a recurring target for cybercriminals.

Akamai emphasizes this point: “Magento’s ubiquity and history of critical vulnerabilities make it an attractive target for threat actors.”

This latest wave mirrors previous campaigns such as Magecart and Cardbleed, in which attackers injected JavaScript skimmers into checkout pages to steal customer data.

Given the simplicity of exploitation and the public availability of weaponized scripts, Akamai strongly advises immediate patching.

“Given the widespread use of Magento and the critical nature of this vulnerability, organizations should apply the patches provided by Adobe as soon as possible,” the researchers warned.

Related Posts:

• Adobe Issues Emergency Patch for SessionReaper (CVE-2025-54236), One of Magento’s Most Critical Flaws
• Cyberattack on Magento: Hackers Inject Skimmer, Card Data Stolen
• Adobe Issues Critical Security Updates for Commerce and Magento Platforms
• Credit Card Skimmer Malware Uncovered: Targeting Magento Checkout Pages