Hackers are actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce, with hundreds of attempts recorded, e-commerce security firm Sansec said.
Adobe warned on September 8 that the flaw is an improper input validation vulnerability affecting Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier, and said an attacker could take over customer accounts through the Commerce REST API.
Sansec previously said that successful exploitation likely depends on storing session data on the file system, the default configuration for most stores, and that a leaked hotfix from the vendor could provide clues on exploitation methods. Six weeks after Adobe issued an emergency patch, Sansec reported that the vulnerability has entered active exploitation, reads Sansec’s bulletin.
Sansec said its protections detected and blocked more than 250 SessionReaper exploitation attempts targeting multiple stores on the same day, with most attacks originating from five IP addresses: 34.227.25.4, 44.212.43.34, 54.205.171.35, 155.117.84.134 and 159.89.12.166. The attempts included PHP webshells and phpinfo probes used to check configuration settings and predefined variables.
Researchers at Searchlight Cyber published a detailed technical analysis of CVE-2025-54236, which could lead to an increase in exploitation attempts. Sansec said 62% of Magento stores online have yet to install Adobe’s security update and remain vulnerable; ten days after the fix became available only one in three sites had installed it, and currently three in five stores are still exposed.
Website administrators are strongly advised to apply the patch or the recommended mitigations from Adobe as soon as possible to protect customer accounts and reduce the risk of session takeover.