Magento Stores Under Siege: “SessionReaper” Attacks Highlight a Critical Patching Problem

Over 250 Magento stores were hit with attacks exploiting the critical **CVE-2025-54236** vulnerability in just 24 hours, and shockingly, nearly two-thirds remain unpatched six weeks after Adobe released a fix. This isn’t just a technical glitch; it’s a stark warning about the escalating speed and sophistication of e-commerce attacks, and the potentially devastating consequences of delayed security updates.

The “SessionReaper” Campaign: How Attackers Are Gaining Access

Dubbed “SessionReaper” by security researchers at Sansec, the attacks leverage an “improper input validation” flaw within Magento’s REST API. Attackers are exploiting this vulnerability to hijack customer accounts, gaining access to sensitive data and potentially enabling fraudulent transactions. The method of entry is particularly insidious: PHP webshells are uploaded disguised as legitimate sessions via the ‘/customer/address_file/upload’ endpoint.

Sansec’s investigation identified attacks originating from five distinct IP addresses, suggesting a coordinated effort. While the source could be multiple threat actors, it’s more likely a single group employing tactics like VPNs and proxy servers to obfuscate their true location – a common practice to evade detection and attribution. This highlights the increasing complexity of tracing and mitigating these attacks.

Beyond Account Takeover: The Risk of Backdoor Access

The attackers aren’t simply stopping at account takeover. They are actively probing for PHP configuration data using tools like phpinfo and deploying PHP webshells. These webshells provide persistent, backdoor access to compromised servers, allowing attackers to further compromise the system, steal data, or even launch attacks against other targets. This escalation from initial access to full system compromise is a major concern.

Why Are So Many Stores Still Vulnerable? The Patching Gap

The fact that 62% of Magento stores remain vulnerable six weeks after a patch became available is deeply troubling. This isn’t a matter of technical difficulty; it’s a failure of process and prioritization. Several factors contribute to this patching gap:

• Complexity of Magento Updates: Magento updates can be complex and time-consuming, particularly for customized installations.
• Fear of Breaking Changes: Merchants often hesitate to apply updates due to concerns about compatibility issues with extensions or custom code.
• Lack of Dedicated Security Resources: Many small and medium-sized e-commerce businesses lack dedicated security personnel to proactively manage vulnerabilities.

The Broader Trend: E-commerce as a Prime Target

CVE-2025-54236 isn’t an isolated incident. This is the second deserialization vulnerability discovered in Adobe Commerce and Magento platforms in the last two years. In July 2024, the equally critical CosmicSting flaw (9.8/10 severity) was also actively exploited. This pattern demonstrates a clear trend: e-commerce platforms, with their wealth of valuable customer data and financial transactions, are increasingly becoming prime targets for cybercriminals.

The rise of Magecart attacks – where attackers inject malicious code into e-commerce websites to steal credit card information – further underscores this threat. These attacks, combined with vulnerabilities like CVE-2025-54236, create a multi-layered security challenge for online retailers.

What Can Magento Store Owners Do Now?

Immediate action is crucial. Sansec recommends a three-pronged approach:

1. Patch Immediately: Prioritize testing and deploying the official Adobe patch as quickly as possible.
2. Implement WAF Protection: For those unable to patch immediately, activate Web Application Firewall (WAF) protection to provide a temporary layer of defense.
3. Scan for Compromise: Run a malware scanner, such as eComscan, to identify any signs of existing compromise.

Beyond these immediate steps, businesses should adopt a more proactive security posture. This includes regular vulnerability scanning, penetration testing, and employee training on security best practices. Investing in robust security measures is no longer optional; it’s essential for survival in today’s threat landscape.

The “SessionReaper” attacks serve as a critical wake-up call. The speed at which vulnerabilities are exploited is increasing, and the consequences of inaction are severe. E-commerce businesses must prioritize security and adopt a proactive approach to protect themselves and their customers. What steps are *you* taking to ensure your Magento store is secure against evolving threats? Share your thoughts in the comments below!