Security firm Sansec has reported that e-commerce stores are still experiencing attacks, six weeks after Adobe released an emergency patch for its “SessionReaper” vulnerability.
Adobe first addressed the flaw (tracked as CVE-2025-54236) last month, describing it as an improper input validation vulnerability that can be abused to hijack customer accounts via the Commerce REST API. Security researcher Blaklis is credited with discovering and responsibly disclosing the bug.
However, according to Sansec, only 38% of stores have installed the patch, and the firm has identified 250 attack attempts against multiple stores in the past 24 hours.
How The Exploit Works
Threat actors have leveraged the flaw to deploy PHP webshells and probe phpinfo pages to extract configuration details. Sansec traced most attacks to five IP addresses:
- 34.227.25[.]4
- 44.212.43[.]34
- 54.205.171[.]35
- 155.117.84[.]134
- 159.89.12[.]166
SessionReaper ranks alongside high-impact flaws such as CosmicSting (2024), TrojanOrder (2022), and Shoplift (2015) in terms of severity. Each of these past vulnerabilities triggered rapid, widespread compromises, affecting thousands of online stores shortly after details of the exploits became public.
Researchers note that six weeks after Adobe’s emergency patch, approximately 62% of Magento stores remain unpatched, leaving the majority of online stores vulnerable to SessionReaper attacks. Sansec urged administrators to implement the updates immediately to prevent further compromise.
However, some organizations are questioning the effectiveness of the patch. One such organization is Searchlight Cyber who, in their technical analysis of the vulnerability, asked: “Given that this is the second time that there has been an issue with deserialization in Magento, there remains a big question: is this patch enough?”
The Bigger Picture
SessionReaper marks the second critical deserialization flaw to affect Adobe Commerce and Magento in as many years. In July 2024, the CosmicSting vulnerability (CVE‑2024‑34102) was widely exploited, underscoring the ongoing challenges of securing e-commerce platforms.
These attacks highlight the urgency for store administrators to apply patches and follow recommended mitigations. With attackers actively leveraging unpatched systems to gain network access, the window for exploitation remains significant, reinforcing the importance of timely updates and vigilant monitoring.
With such a large number of unpatched stores remaining, and reports of this attack being actively exploited, analysts predict that this attack will continue to cause disruption until the at risk stores deploy the patch.
