Hackers are actively exploiting a critical remote code execution flaw in Adobe Commerce / Magento Open Source dubbed SessionReaper and tracked as CVE-2025-54236. The bug, rated high, was patched by Adobe on 9 September 2025 after a researcher disclosed it; however, proof-of-concept exploit code published by Assetnote on 21 October 2025 dramatically lowered the window for unnoticed fixes. Attack activity is already confirmed in the wild: security firm Researcher reported blocking more than 250 exploitation attempts on 22 October 2025, with attacks originating from multiple IPs worldwide and automated scanning expected to multiply attacks rapidly.

Technically, SessionReaper stems from improper input validation in the Commerce REST API (notably the /customer/address_file/upload endpoint) that lets attackers upload malicious data disguised as session content. The underlying nested deserialization vulnerability enables attackers to execute arbitrary code when stores use file-based session storage though Redis or database-backed session stores may also be vulnerable under certain configurations. Exploits probe server setup, drop web shells or backdoors, and facilitate downstream activity such as credential theft, malware injection, or supply-chain compromise, making the flaw high-impact for e-commerce environments.

Reseacher’s monitoring shows only 38% of Magento stores have implemented protections roughly six weeks after the emergency patch, leaving about 62% exposed a gap comparable to prior wide-scale Magento incidents (e.g., CosmicSting, TrojanOrder, Shoplift). Researcher’s forensics links observed payloads to IPs including 34.227.25.4, 44.212.43.34, 54.205.171.35, 155.117.84.134, and 159.89.12.166, and the firm warns that automated scanners and commodity exploit kits will likely drive a sharp rise in successful compromises unless remediation accelerates.

Apply Adobe’s official patch or upgrade to the latest secure release immediately; if you cannot patch right away, deploy a web application firewall (WAF) to block malicious upload attempts and anomalous session data. Monitor logs and integrity for signs of web shells, unusual session file writes, or suspicious outgoing connections; rotate credentials and review payment-processing components for compromise. Given the exploitability, high severity, and low patch uptake, merchants and hosting providers should treat this as a critical incident and act urgently to reduce exposure.