by Sansec Forensics Team - sansec.io

Published in Threat Research − September 08, 2025

Adobe released an out-of-band emergency patch for SessionReaper (CVE-2025-54236). The bug may hand control of a store to unauthenticated attackers. Automated abuse is expected and merchants should act immediately.

Article updated: Sep 9th, 2025 13:48 UTC

Adobe broke their regular release schedule to publish a fix for a critical (9.1) flaw in all versions of Adobe Commerce and Magento. The bug, dubbed SessionReaper and assigned CVE-2025-54236, allows customer account takeover and unauthenticated remote code execution under certain conditions. Sansec was able to simulate the attack and so may less benign parties. It does not help that the Adobe patch was accidentally leaked last week, so bad actors may already be working on the exploit code.

Adobe's official advisory describes the impact as "an attacker could take over customer accounts," which does not mention the risk of remote code execution. The vulnerability researcher who discovered CVE-2025-54236 confirmed this on Slack:

"Blaklis
BTW, this is a potential preauth RCE, whatever the bulletin is saying.
Please patch ASAP"

SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024). Each time, thousands of stores got hacked, sometimes within hours of the flaw being published.
Timeline

Aug 22nd: Adobe internally discusses emergency fix
Sep 4th: Adobe privately announces emergency fix to selected Commerce customers
Sep 9th: Adobe releases emergency patch for SessionReaper - CVE-2025-54236 in APSB25-88

What merchants should do

If you are already using Sansec Shield, you are protected against this attack.

If you are not using Sansec Shield, you should test and deploy the patch as soon as possible. Because the patch disables internal Magento functionality, chances are that some of your custom/external code will break. Adobe published a developer guide with instructions.

If you cannot safely apply the patch within the next 24 hours, you should activate a WAF for immediate protection. Only two WAFs block this attack right now: Adobe Fastly and Sansec Shield.

If you did deploy the patch but not within 24 hours of publication, we recommend to run a malware scanner like eComscan to find any signs of compromise on your system. We also recommend to rotate your secret crypt key, as leaking it would allow attackers to update your CMS blocks indefinitely.
How the attack works

Our security team successfully reproduced one possible avenue to exploit SessionReaper, but there are likely multiple vectors. While we cannot disclose technical details that could aid attackers, the vulnerability follows a familiar pattern from last year's CosmicSting attack. The attack combines a malicious session with a nested deserialization bug in Magento's REST API.

The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability.
Active exploitation

Sansec tracks ecommerce attacks in real-time around the globe. We have not seen any active abuse yet but will update this section when we do.

Follow live ecommerce attacks here.

Acknowledgements

Credits to Blaklis for discovering the flaw.

Thanks to Scott Robinson, Pieter Hoste and Tu Van for additional research.

Sansec is not affiliated with Adobe and runs unbiased security research across the eCommerce ecosystem. Sansec protects 10% of all Magento stores worldwide.

Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software.

Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.

Vendor Package
Tigren Ajaxsuite
Tigren Ajaxcart
Tigren Ajaxlogin
Tigren Ajaxcompare
Tigren Ajaxwishlist
Tigren MultiCOD
Meetanshi ImageClean
Meetanshi CookieNotice
Meetanshi Flatshipping
Meetanshi FacebookChat
Meetanshi CurrencySwitcher
Meetanshi DeferJS
MGS Lookbook
MGS StoreLocator
MGS Brand
MGS GDPR
MGS Portfolio
MGS Popup
MGS DeliveryTime
MGS ProductTabs
MGS Blog
We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers.

This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores.

We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.

A detailed analysis of a multi-stage card skimming attack exploiting outdated Magento software and fake image files.

In today’s post we’re going to review a sophisticated, multi-stage carding attack on a Magento eCommerce website. This malware leveraged a fake gif image file, local browser sessionStorage data, and tampered with the website traffic using a malicious reverse-proxy server to facilitate the theft of credit card data, login details, cookies, and other sensitive data from the compromised website.

The client was experiencing some strange behaviour on their checkout page, including clients unable to input their card details normally, and orders not going through. They contacted us for assistance. Thinking this would be a straightforward case of credit card theft instead what we found was actually a fascinating and rather advanced malware which we will explore in detail in this post.

Adobe on Sunday rolled out patches to contain a critical security vulnerability impacting its Commerce and Magento Open Source products that it said is being actively exploited in the wild.