Magento & Adobe Commerce Facing Major Attack Surge: SessionReaper

Magento 2 and Adobe Commerce users are currently dealing with a critical security crisis: the SessionReaper vulnerability (CVE-2025-54236) has triggered a rapid surge in malware attacks, jumping 47% in recent weeks[1][5].

What Is SessionReaper?

SessionReaper is a remote code execution flaw that lets attackers hijack user sessions and even seize full control of a store’s server - often without any authentication[1][5]. Exploitation typically involves uploading malicious session files, which can lead to stolen data, fraudulent transactions, and long-term backdoors in your shop’s codebase[1][5].

Scale of the Threat

• More than 250 Magento stores were hit within 24 hours of exploit details becoming public[5][1].
• Over 60% of Magento sites remain unpatched over a month after the fix[5][1].
• Attackers prey on both Magento Open Source and Adobe Commerce, focusing on sites slow to update[1].

What Should Merchants Do?

• Check your site now using ThreatView.  
• This is a free scanner that will check your site from an external perspective. ThreatView Advanced Edition will provide you with comprehensive Filesystem and Database threat detection.
• Apply the latest Adobe patch immediately to block ongoing attacks[1].
• Remove suspicious session files and check for hidden backdoors even if you’ve already patched.

The attacks are accelerating - proactive patching and scanning are crucial to protect your customers and your business[1][5].

Sources

[1] Thousands of online stores at risk as SessionReaper ... https://www.malwarebytes.com/blog/news/2025/10/thousands-of-online-stores-at-risk-as-sessionreaper-attacks-spread

[2] Critical Adobe Commerce, Magento vulnerability under ... https://www.helpnetsecurity.com/2025/10/23/adobe-magento-cve-2025-54236-attack/

[3] Adobe Security Bulletin https://helpx.adobe.com/security/products/magento/apsb25-88.html

[4] SessionReaper: Account Takeover and Unauthenticated ... https://www.greenbone.net/en/blog/sessionreaper-account-takeover-and-unauthenticated-rce-in-magento-and-adobe-commerce/

[5] Over 250 Magento Stores Hit Overnight as Hackers Exploit ... https://thehackernews.com/2025/10/over-250-magento-stores-hit-overnight.html

[6] SessionReaper (CVE-2025-54236): Critical Adobe ... https://socradar.io/sessionreaper-cve-2025-54236-adobe-commerce-exploit/

[7] Adobe Commerce / Magento Insecure Deserialization ... https://www.tenable.com/plugins/was/115019

[8] Why nested deserialization is STILL harmful – Magento ...

‍