CVE-2025-54236: SessionReaper Exploit Hits 130K+ Magento Stores in Massive Hijacking Wave

SessionReaper strikes 130,000+ Magento stores, and customer accounts are hijacked in seconds.

The CrowdSec Network has detected active exploitation attempts targeting CVE-2025-54236 (“SessionReaper”), a critical deserialization vulnerability in Magento 2 and Adobe Commerce that allows unauthenticated attackers to hijack customer sessions and potentially achieve remote code execution.

Key findings of CVE-2025-54236

• The exploitation write-up was disclosed on October 22, 2025 (6 weeks after the CVE was released); CrowdSec began observing exploitation on Oct 28, 2025, with sustained activity through November 23.
• 1,376 exploitation signals over 20 tracked days (October 28–November 23), with a peak of 388 signals in a single day and up to 89 distinct attacking sources.
• Adobe downplayed the severity as “security feature bypass,” but researchers confirmed complete account takeover and RCE chains, prompting urgent remediation across 130,000+ Magento installations worldwide.

What is Magento/Adobe Commerce?

Magento is one of the world’s most popular open-source e-commerce platforms, powering over 130,000 online stores globally. Originally acquired by Adobe in 2018 for $1.68 billion, the enterprise edition was rebranded from “Magento Commerce” to “Adobe Commerce” in April 2021, while the open-source version remains “Magento Open Source.” 

These platforms are used by retail managers, e-commerce directors, digital marketing teams, and IT administrators to run online storefronts handling payment processing, customer accounts, inventory, and sensitive transaction data. A compromised Magento instance means attackers can steal customer credentials, payment information, manipulate orders, and use the platform as a pivot point into broader corporate networks, turning your revenue engine into a liability.

About the CVE-2025-54236 exploit

CVE-2025-54236 exploits a flaw in Magento’s API input deserialization mechanism (ServiceInputProcessor.php). Attackers craft malicious nested objects in API requests to instantiate arbitrary PHP classes, including session management objects, allowing them to set a customer_id of their choice. By chaining this with an unauthenticated file upload endpoint (/customer/address_file/upload), attackers can write a serialized PHP session payload to disk, then trigger deserialization to hijack any customer account or execute code.

The attack works in four steps:

1. Self-register a customer account (no validation required)
2. Generate a JWT token for API access
3. Send a crafted PUT request to /rest/default/V1/carts/mine with a nested session object containing the victim’s customer ID
4. Use the malicious session cookie to authenticate as the victim (or upload Guzzle gadget chain for RCE)

Affected versions: Magento 2.4.x and Adobe Commerce instances using file-based session storage are critically vulnerable; Redis-backed sessions may have alternative exploitation paths.

Events Timeline

CrowdSec telemetry reveals a concerning timeline of exploitation that underscores the value of proactive threat intelligence. The vulnerability was published on September 9, 2025, but remained relatively quiet until the vulnerability exploitation details were revealed. Active exploitation began on October 23, 2025, two full days before CISA added it to their Known Exploited Vulnerabilities (KEV) catalog on October 25. CrowdSec released detection rules on November 5 and confirmed the first in-the-wild exploitation signals on November 7, well ahead of CISA’s November 15 remediation deadline under BOD 22-01.

Trend analysis

• September 9, 2025: CVE-2025-54236 was publicly disclosed by Adobe with an emergency patch.
• October 22, 2025: A first bug analysis with exploitation details was released on Slcyber Research Center
• October 23, 2025: First traces of active exploitation are present in CrowdSec Intelligence, 2 days before CISA KEV listing
• October 25, 2025: CISA adds CVE to Known Exploited Vulnerabilities (KEV) catalog
• November 5, 2025: CrowdSec releases detection rules
• November 7, 2025: CrowdSec Network confirms first in-the-wild exploitation signals
• November 15, 2025: CISA’s mandatory remediation deadline under BOD 22-01 expires

Since initial detection, the CrowdSec Network has recorded 1,376 exploitation signals over 20 days (October 28–November 23) with sustained daily activity averaging 70 attempts. The peak of 388 signals and 89 distinct sources in a single day indicates both automated scanning campaigns and targeted exploitation by multiple threat actors. 

The rapid weaponization—exploitation starting just 44 days after disclosure and before official KEV listing demonstrates how quickly adversaries capitalize on public proof-of-concept code. Given Magento’s prevalence in e-commerce and the approaching holiday shopping season, unpatched instances represent high-value targets for credential harvesting, payment data theft, and supply chain compromises.

How to protect your systems

• Patch: Apply Adobe’s hotfix immediately or upgrade to patched versions. Adobe Commerce cloud instances receive automatic patching. See full patching instructions at https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397
• Preemptive blocking: Benefit from the largest detection network by deploying Crowdsec with Application Security (WAF module) to detect and block malicious deserialization payloads and suspicious API request patterns.
• Stay Proactive: Subscribe to CrowdSec Intelligence Blocklists and benefit from extra protection with specialized blocklists targeting e-commerce exploitation campaigns.