“SessionReaper” Harvests Roots: Mass Exploitation Campaign Hits Over 200 Magento Sites

A massive wave of cyberattacks has struck the e-commerce world, targeting the widely used Magento platform with a vulnerability so severe it hands attackers the keys to the kingdom. Dubbed “SessionReaper” (CVE-2025-54236), this critical flaw has allowed threat actors to bypass authentication and seize root-level control of online stores worldwide.

Oasis Security has released a report detailing an “aggressive mass exploitation campaign” that is actively compromising digital storefronts. The scale of the attack is alarming: researchers identified over 1,000 vulnerable Magento Commerce APIs, with hundreds of victims already fallen prey to full system compromise.

At the heart of this campaign is a failure in how Magento handles user sessions. “SessionReaper” exploits a logic flaw where old session tokens aren’t properly killed off, allowing attackers to pick them up and use them again.

As the report explains: “CVE-2025-54236 (SessionReaper) is a Magento vulnerability that enables attackers to bypass authentication by reusing improperly invalidated session tokens, potentially leading to full system compromise”.

By capturing and replaying these “zombie” tokens, attackers can hijack active sessions. The report notes that the flaw allows for “enabling session hijacking and unauthorized account access”, effectively letting intruders walk through the front door disguised as legitimate administrators.

The consequences for victims have been catastrophic. Unlike simple data scraping or defacement, this campaign aims for total domination of the server.

In one documented case, “large-scale exploitation led to the compromise of 200+ websites worldwide and root-level access”. Gaining root access allows attackers to do virtually anything—steal customer credit card data, install ransomware, or pivot to other internal networks.

In other incidents, the attackers focused on persistence, using the vulnerability to “deploy web shells on Magento sites in Canada and Japan, enabling persistent access”. This ensures that even if the initial vulnerability is patched, the attackers retain a backdoor into the system.

Oasis Security’s investigation uncovered active command-and-control (C2) infrastructure orchestrating these raids. The attacks have been linked to a specific IP address hosted in Finland: 93.152.230.161.

The report warns that this is not an isolated incident but an ongoing operation: “Active C2 infrastructure was discovered orchestrating an ongoing campaign”.

With a list of “1,460 APIs identified as vulnerable to CVE-2025-54236 exploitation”, the potential blast radius is significant. E-commerce administrators are urged to patch their Magento installations immediately, as SessionReaper continues to harvest unpatched systems across the globe.

Related Posts:

• Critical Magento Flaw (CVE-2025-54236) Actively Exploited for Session Hijacking and Unauthenticated RCE
• Adobe Issues Emergency Patch for SessionReaper (CVE-2025-54236), One of Magento’s Most Critical Flaws
• Adobe Issues Critical Security Updates for Commerce and Magento Platforms
• Cyberattack on Magento: Hackers Inject Skimmer, Card Data Stolen