
























Six weeks after Adobe's emergency patch for SessionReaper (CVE-2025-54236), the vulnerability has entered active exploitation. Sansec Shield detected and blocked the first real-world attacks today, which is bad news for the thousands of stores that remain unpatched.
Security researchers at Assetnote published a detailed technical analysis of the vulnerability today, demo'ing the nested deserialization flaw that enables remote code execution. With proof-of-concept code circulating, the window for safe patching has effectively closed.
When we first reported on SessionReaper in September, fewer than one in three Magento stores had been patched. Six weeks later, that figure has barely improved: only 38% of stores are now protected. This means that 62% of Magento stores remain vulnerable to a critical remote code execution attack with publicly available exploit details.
For context, SessionReaper is comparable in severity to CosmicSting (2024), TrojanOrder (2022), and Shoplift (2015). Each of these vulnerabilities led to thousands of compromised stores, often within hours of exploit publication.
With exploit details now public and active attacks already observed, we expect mass exploitation within the next 48 hours. Automated scanning and exploitation tools typically emerge quickly after technical writeups are published, and SessionReaper's high impact makes it an attractive target for attackers.
See the full SessionReaper timeline in our initial article.
If you are already using Sansec Shield, you have been protected against SessionReaper attacks since the initial discovery in September. No further action is needed.
If you are not using Sansec Shield, you must act immediately:
Sansec tracks ecommerce attacks in real-time around the globe. Today we blocked over 250 SessionReaper exploitation attempts in the wild targeting multiple stores. We will update this article as new details about attack patterns and methods emerge.
Attacks are coming from the following IPs.
34.227.25.4
44.212.43.34
54.205.171.35
155.117.84.134
159.89.12.166
Attack payloads so far contained PHP webshells or phpinfo probes.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。