A coordinated wave of cyberattacks has struck the e-commerce sector overnight, with security experts reporting that over 250 Magento stores were targeted by hackers exploiting a critical, recently publicized flaw in the Adobe Commerce and Magento Open Source platforms. E-commerce security company Sansec detected more than 250 exploitation attempts over the past 24 hours, warning that this figure is likely to escalate as automated tools for the attack become more widespread. The vulnerability, tracked as CVE-2025-54236 and nicknamed “SessionReaper,” is a critical improper input validation flaw (CVSS score 9.1) that affects the Commerce REST API and can potentially allow an attacker to hijack customer accounts and, under certain conditions, achieve remote code execution (RCE). The attacks observed so far have included attempts to upload PHP webshells or probe for server configuration details using phpinfo.
Adobe had released an emergency patch for SessionReaper six weeks ago in September, but alarmingly, Sansec telemetry indicates that approximately 62% of all Magento stores worldwide remain unpatched and are fully exposed to the attack. The public release of a detailed technical analysis and exploit code by security researchers, which reverse-engineered Adobe’s initial hotfix, appears to have immediately triggered the aggressive exploitation campaign now underway. This flaw’s severity and ease of exploitation draws comparisons to past catastrophic Magento vulnerabilities like CosmicSting and Shoplift, which led to mass store compromises. Experts are urgently advising all website administrators running affected versions of Adobe Commerce and Magento Open Source to immediately deploy the latest security patches or hotfixes to prevent compromise. The ongoing campaign appears to be well-resourced, with initial attacks originating from multiple IP addresses across different hosting providers. Store owners are also urged to perform a malware scan on their systems to check for any existing signs of compromise, such as unexpected PHP files or backdoors, which the hackers are attempting to plant via fake sessions. The longer stores delay patching, the higher the risk of financial theft and loss of customer data becomes.
