E-commerce security firm Sansec has issued an urgent alert after detecting over 250 coordinated attack attempts targeting Magento Open Source and Adobe Commerce stores within a single 24-hour period. The attacks exploit CVE-2025-54236, a critical vulnerability with a CVSS score of 9.1 that enables threat actors to hijack customer accounts through REST API manipulation and improper input validation, creating severe security risks for online retailers worldwide.
Critical REST API Vulnerability Enables Account Takeover Attacks
CVE-2025-54236 represents a severe security flaw in Magento’s REST API framework that allows unauthenticated attackers to bypass security controls and gain unauthorized access to customer accounts. The vulnerability stems from improper input validation mechanisms within the platform’s core authentication processes, enabling malicious actors to manipulate API requests and escalate privileges without legitimate credentials or authorization tokens.
Security researchers have dubbed this vulnerability “SessionReaper” due to its ability to harvest active user sessions and compromise customer data through sophisticated API manipulation techniques. The flaw affects multiple versions of both Magento Open Source and Adobe Commerce platforms, making it one of the most widespread e-commerce security threats discovered in recent years, with potential impacts spanning millions of online stores globally.
Widespread Exploitation Despite Available Security Patches (7 words)
Despite Adobe releasing official security patches last month through Security Bulletin APSB24-88, approximately 62% of Magento installations remain vulnerable to active exploitation. This alarming statistic highlights the persistent challenge of patch management in e-commerce environments, where store owners often delay critical updates due to concerns about compatibility issues, downtime, or a lack of technical expertise in implementing security fixes properly.
The delayed patch adoption has created a significant window of opportunity for cybercriminals to deploy web shells, extract sensitive PHP configuration data, and establish persistent backdoors within compromised e-commerce systems. Attackers are specifically targeting vulnerable endpoints such as “/customer/address_file/upload” to upload malicious scripts that provide ongoing access to compromised stores and customer databases containing valuable personal and financial information.
“Adobe is aware of CVE-2025-54236 being exploited in the wild and recommends customers apply the updates as soon as possible.” – Adobe Security Bulletin APSB25-88
SessionReaper Attacks Mirror Previous CosmicSting Campaign Patterns
The current wave of CVE-2025-54236 exploits bears striking similarities to the CosmicSting campaign from July 2024, which targeted CVE-2024-34102, another critical deserialization vulnerability in Magento platforms. Both attack campaigns demonstrate a sophisticated understanding of Magento’s architecture and exploit similar weaknesses in input validation and session management, suggesting coordinated efforts by experienced threat actors with deep knowledge of e-commerce platform vulnerabilities.
Security analysts note that the rapid exploitation of CVE-2025-54236 following its disclosure indicates that threat actors have developed automated tools and scanning infrastructure specifically designed to identify and compromise vulnerable Magento installations. This systematic approach to e-commerce platform targeting suggests that Magento and Adobe Commerce sites will continue facing persistent threats from organized cybercriminal groups seeking to monetize stolen customer data. (77 words)
Immediate Response Actions Required for Store Administrators
Store administrators must implement comprehensive security measures immediately to protect their e-commerce platforms from ongoing SessionReaper attacks. The first critical step involves applying Adobe’s official security patches through the appropriate update channels, ensuring that all system components, including core files, extensions, and custom modifications, are properly updated to address the vulnerability and prevent unauthorized access attempts.
Following patch installation, administrators should conduct thorough security audits to identify any unauthorized web shells or malicious files that may have been uploaded through compromised endpoints. Special attention should be paid to file upload directories, particularly “/customer/address_file/upload” and similar user-accessible paths where attackers commonly deploy persistent backdoors to maintain access to compromised systems even after patches are applied.
Enhanced Monitoring Protocols Essential for Ongoing Protection
Implementing robust monitoring systems is crucial for detecting ongoing compromise attempts and identifying successful breaches before significant damage occurs. Store administrators should establish continuous monitoring of customer account activities, focusing on unusual login patterns, unauthorized account modifications, and suspicious administrative actions that may indicate successful account takeover attacks through the SessionReaper vulnerability.
Additionally, organizations should implement comprehensive logging mechanisms to track API requests, file uploads, and system modifications that could indicate ongoing malicious activity. Regular security assessments, including vulnerability scanning and penetration testing, help identify potential security gaps and ensure that protective measures remain effective against evolving threats targeting e-commerce platforms and customer data repositories.
The CVE-2025-54236 vulnerability represents a critical threat to the global e-commerce ecosystem, with over 250 documented attacks in just 24 hours demonstrating the urgent need for immediate action. Store administrators must prioritize patch deployment, conduct comprehensive security audits, and implement enhanced monitoring protocols to protect customer data and maintain business continuity in the face of persistent and sophisticated cyber threats.