SessionReaper in the Wild: How a 2025 Adobe Commerce Flaw Fueled E-Commerce Breaches
Executive Summary
In early 2025, a critical security vulnerability (CVE-2025-54236) was discovered in Adobe Commerce, formerly known as Magento. This flaw, actively exploited in the wild as 'SessionReaper,' enables remote attackers to hijack user sessions on e-commerce sites, bypassing authentication controls. Attackers leveraged this weakness to compromise sensitive customer data, manipulate transactions, and disrupt online sales operations for affected merchants. The exploitation led to significant financial and reputational risks, prompting rapid incident response and emergency patching.
This incident highlights the growing trend of sophisticated web application attacks targeting popular e-commerce platforms. As threat actors increasingly weaponize session hijacking techniques and exploit critical flaws pre-patch, organizations must prioritize timely vulnerability management and layered defenses to protect customer trust and regulatory compliance.
Why This Matters Now
With active attacks exploiting the Adobe Commerce SessionReaper vulnerability, e-commerce businesses face immediate risk of session hijacking, leading to data breaches and operational disruption. This flaw is being targeted in large-scale campaigns, making urgent patching and enhanced threat detection crucial to avoid serious business and compliance impacts.
Attack Path Analysis
Attackers exploited CVE-2025-54236 in Adobe Commerce to hijack legitimate user sessions and gain initial access to the web application. With access, they escalated privileges by exploiting session tokens and web application flaws for greater control. The adversary pivoted laterally within the cloud network, seeking access to additional resources or sensitive workloads. Command and control channels were established to maintain persistent access and issue instructions via outbound web requests. Data was then exfiltrated through allowed egress channels, possibly leveraging unmonitored outbound traffic. Finally, the attackers impacted business operations by performing actions such as data theft, account manipulation, or service disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a session takeover vulnerability (CVE-2025-54236) in Adobe Commerce to remotely hijack legitimate user sessions and gain initial access to the application.
Related CVEs
CVE-2025-54236
CVSS 9.8An improper input validation vulnerability in Adobe Commerce allows attackers to achieve session takeover without user interaction.
Affected Products:
Adobe Commerce – 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier
Exploit Status:
exploited in the wildCVE-2025-54266
CVSS 8.8A stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce allows high-privileged attackers to inject malicious scripts into form fields, potentially executing JavaScript in victims' browsers.
Affected Products:
Adobe Commerce – 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier
Exploit Status:
no public exploitCVE-2025-54265
CVSS 7.5An incorrect authorization vulnerability in Adobe Commerce allows attackers to bypass security measures and gain unauthorized read access without user interaction.
Affected Products:
Adobe Commerce – 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Create Account
Steal Web Session Cookie
Exploit Public-Facing Application
Modify Authentication Process: Web Portal
Network Sniffing
Masquerading
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Web Applications
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 6
CISA Zero Trust Maturity Model 2.0 – Session and Authentication Controls
Control ID: Identity Pillar – Session Security
NIS2 Directive – Incident Prevention and Detection
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Critical Adobe Commerce vulnerability enables session hijacking on e-commerce platforms, compromising customer data and payment processing with severe PCI compliance implications.
E-Learning
Web application exploitation targeting Adobe Commerce platforms threatens online learning payment systems and student data, requiring enhanced egress security and anomaly detection.
Financial Services
SessionReaper flaw exposes financial e-commerce transactions to remote takeover attacks, demanding immediate zero trust segmentation and encrypted traffic enforcement measures.
Consumer Goods
Direct-to-consumer Adobe Commerce sites face session hijacking risks affecting customer authentication, requiring multicloud visibility and inline intrusion prevention system deployment.
Sources
- Fear the 'SessionReaper': Adobe Commerce Flaw Under Attackhttps://www.darkreading.com/vulnerabilities-threats/sessionreaper-adobe-commerce-flaw-under-attackVerified
- Adobe Security Bulletin APSB25-88https://helpx.adobe.com/security/products/magento/apsb25-88.htmlVerified
- Adobe Security Bulletin APSB25-94https://helpx.adobe.com/security/products/magento/apsb25-94.htmlVerified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust network segmentation, inline threat detection, and strict egress policy enforcement would have curtailed session hijack exploitation, contained lateral movement, and prevented data exfiltration in the Adobe Commerce attack scenario.
Control: Inline IPS (Suricata)
Mitigation: Known exploitation signatures detected and blocked at ingress.
Control: Zero Trust Segmentation
Mitigation: Unauthorized privilege elevation attempts isolated or contained.
Control: East-West Traffic Security
Mitigation: Lateral movement blocked or promptly detected.
Control: Cloud Firewall (ACF)
Mitigation: Unauthorized outbound traffic identified and blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts stopped or immediately flagged.
Malicious operations rapidly detected and responded to.
Impact at a Glance
Affected Business Functions
- E-commerce Transactions
- Customer Account Management
- Order Processing
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of customer personal and payment information due to session takeover and unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IPS to detect and block web application exploits targeting known vulnerabilities at ingress.
- • Enforce zero trust segmentation and least privilege between web, application, and data tiers to limit attacker pivoting.
- • Implement strict egress controls and cloud firewall policies to prevent unauthorized outbound traffic and command & control.
- • Continuously monitor east-west traffic for lateral movement and anomalous workload behavior across cloud regions.
- • Integrate real-time threat detection and response to quickly contain malicious activities before they cause business impact.
