CVE-2025-54236, dubbed SessionReaper, is a critical security vulnerability affecting Adobe Commerce and Magento Open Source platforms. It is an improper input validation flaw within the Commerce REST API that allows unauthenticated attackers to perform nested deserialization attacks, leading to remote code execution (RCE). This vulnerability enables attackers to take over customer accounts and upload malicious PHP webshells disguised as fake sessions via the '/customer/address_file/upload' endpoint. The flaw was responsibly disclosed by researcher Blaklis and patched by Adobe approximately six weeks prior to the reported exploitation surge. Despite the availability of patches, a significant portion (62%) of Magento stores remain unpatched, leaving them exposed to active exploitation. Attackers have been observed leveraging this vulnerability to drop PHP backdoors and extract PHP configuration details using phpinfo probes, facilitating further compromise and persistence. The attacks originated from multiple IP addresses, indicating coordinated exploitation attempts. This vulnerability is the second major deserialization flaw impacting Adobe Commerce in recent years, following the CosmicSting vulnerability (CVE-2024-34102). Given the critical CVSS score of 9.1 and the ease of exploitation without authentication or user interaction, this vulnerability represents a severe threat to e-commerce platforms relying on Magento. The rapid exploitation within 24 hours of public disclosure underscores the urgency for organizations to apply patches and implement additional security controls to mitigate risk.

European organizations operating Magento-based e-commerce platforms face significant risks from this vulnerability. Successful exploitation can lead to complete compromise of customer accounts, unauthorized access to sensitive customer data, and deployment of persistent webshells enabling further malicious activities such as data exfiltration, defacement, or ransomware deployment. The availability of proof-of-concept exploits and active scanning by threat actors increases the likelihood of widespread attacks. Disruption of e-commerce services can result in financial losses, reputational damage, and regulatory penalties under GDPR due to potential data breaches. The high prevalence of Magento stores in Europe, combined with delayed patch adoption, amplifies the threat landscape. Attackers may also leverage compromised stores as pivot points for broader network intrusions. The impact extends beyond confidentiality to integrity and availability, threatening business continuity and customer trust.

1. Immediate application of Adobe's official patches for CVE-2025-54236 is paramount; organizations must verify patch deployment across all Magento instances. 2. Conduct thorough audits of web server directories for unauthorized PHP files, especially in upload paths like '/customer/address_file/upload', and remove any detected webshells. 3. Implement strict input validation and sanitization controls at the application layer to prevent malicious payloads. 4. Employ Web Application Firewalls (WAFs) with updated signatures to detect and block exploitation attempts targeting the REST API endpoints. 5. Monitor logs for suspicious activities such as unusual file uploads, phpinfo probes, or anomalous API calls. 6. Restrict access to the Commerce REST API to trusted IP ranges where feasible and enforce rate limiting to mitigate automated attacks. 7. Enhance incident response readiness by preparing forensic capabilities to analyze potential breaches stemming from this vulnerability. 8. Educate development and operations teams about the risks of deserialization vulnerabilities and secure coding practices to prevent recurrence. 9. Regularly scan Magento environments with specialized vulnerability scanners to detect unpatched instances and configuration weaknesses. 10. Engage with Magento security advisories and threat intelligence feeds to stay informed about emerging exploitation trends.