SessionReaper in the wild: new wave of attacks exploiting Adobe Commerce CVE-2025-54236

Background

When Adobe disclosed CVE-2025-54236 - a critical vulnerability in Adobe Commerce and Magento Open Source - in early September, the company urged merchants to patch immediately.
The flaw, nicknamed “SessionReaper,” affected the Commerce REST API and allowed potential unauthenticated account takeovers, earning a CVSS base score of 9.1.

Two months later, this vulnerability has moved from a theoretical concern to a real-world problem.
Security firms now report active exploitation across hundreds of Magento stores, with signs of compromise appearing even in some patched environments.

Active exploitation confirmed

In mid-October, Sansec researchers reported that over 250 Magento and Adobe Commerce stores had been attacked within a 24-hour period, leveraging the same CVE-2025-54236 weakness.
The attacks involve uploading malicious PHP code into the directory:

pub/media/customer_address/s/e/sess_*

These files are the first stage of the SessionReaper attack, used to establish persistence or execute follow-up payloads.
Even stores that have applied Adobe’s September hotfix may still find non-executable sess_* files present on disk - a sign that attackers are scanning and probing aggressively.

According to Sansec, roughly 62% of Magento stores remain unpatched six weeks after Adobe’s fix was released. Around 16–18% already show traces of uploaded webshells or backdoors.

Adobe’s latest response

On October 22, 2025, Adobe updated its official advisory (APSB25-88) to include the statement:

“Adobe is aware of CVE-2025-54236 being exploited in the wild.”

The company reiterated that Web Application Firewall (WAF) rules for Adobe Commerce Cloud customers are temporary mitigations, not replacements for patching.

Additionally, Adobe introduced stricter constructor parameter injection controls in the API layer to prevent similar weaknesses in the future and published updated verification guidance for patch validation using the Quality Patches Tool (QPT).

Why is this vulnerability so dangerous

At its core, SessionReaper stems from improper input validation within the REST API. Under certain conditions, the flaw can go beyond session hijacking to enable remote code execution (RCE) if chained with existing file upload misconfigurations.

Because the exploit requires no authentication, it opens the door for mass scanning and automated attacks - a perfect fit for bot-driven exploitation campaigns.

The attack chain typically involves:

1. Uploading a PHP payload through the customer_address_file/upload endpoint.
   

2. Storing it in a predictable media path.
   

3. Triggering execution or data exfiltration through crafted API calls.
   

What e-commerce operators should do now?

The situation has evolved: simply patching is no longer enough. Teams need to combine patch validation, system scans, and proactive blocking.

1. Verify patch installation

Confirm that VULN-32437-2-4-X-patch is applied and active.
Run the Quality Patches Tool or check your build logs.
For on-premises setups, ensure the patch is not overwritten by deployment or custom modules.

2. Update vulnerable modules

The Custom Attributes Serializable module (versions 0.1.0–0.3.0) remains directly linked to the exploit vector.
Upgrade immediately to v0.4.0 or newer.

3. Scan for signs of compromise

Look for:

• Files named sess_* under /pub/media/customer_address/
  

• Suspicious PHP files like static.php, sysapi.php, or bootstrap.php
  

• Unexpected REST API calls to /customer/address_file/upload
  

• Anomalous login or POST traffic from unfamiliar IPs
  

Sansec’s eComscan and similar tools can detect common webshells and indicators of compromise.

4. Restrict or block risky endpoints

If your store does not require the customer/address_file/upload endpoint, block it immediately via:

• Cloudflare, Fastly, or Akamai WAF rules
  

• Your reverse proxy or CDN configuration
  
  

5. Communicate and monitor

• Inform internal stakeholders that exploitation is active.
  

• Continue monitoring Adobe’s Experience League and Security Bulletins for follow-up updates.
  

• Keep regular system integrity scans and backups.
  
  

Broader implications

CVE-2025-54236 highlights the vulnerability of e-commerce ecosystems that rely on intricate APIs and third-party modules.
Even with strong patch management, latent file upload paths and legacy code can reopen risk windows.

In the words of Sansec’s founder, Willem de Groot, “When patches are public, exploits follow fast. The only sustainable defense is visibility - knowing what runs inside your store.”

Key takeaways

• Exploitation confirmed: CVE-2025-54236 (SessionReaper) is being actively used in the wild.
  

• Partial patch coverage: Fewer than half of the affected stores have applied the official fix.
  

• Post-patch hygiene matters: Even patched sites may contain non-executable malicious uploads.
  

• Defense in depth: Combine patching, WAF, endpoint blocking, and continuous scanning.
  

Conclusion

What began as a critical disclosure in September has now evolved into an active exploitation campaign.
For Adobe Commerce and Magento store operators, time is of the essence - patch verification, log audits, and active defense are now operational imperatives, not optional steps.

If your environment hasn’t been reviewed since the September advisory, schedule a full audit today.
The SessionReaper threat is no longer theoretical - it’s happening right now.

If you need any help patching your store, don’t hesitate to contact us.