Executive Summary
In October 2025, a critical vulnerability known as 'SessionReaper' (CVE-2025-54236) was discovered in Adobe Commerce and Magento Open Source platforms. This flaw, stemming from improper input validation, allows unauthenticated attackers to execute arbitrary code via the Commerce REST API, leading to potential full system compromise and unauthorized access to sensitive customer data. Despite Adobe releasing a patch in September 2025, reports indicate that as of late October, approximately 62% of Magento stores had not applied the necessary fixes, leaving them vulnerable to exploitation. (threatprotect.qualys.com)
The active exploitation of SessionReaper underscores the critical importance of timely patch management in e-commerce platforms. With attackers increasingly targeting unpatched systems, organizations must prioritize the application of security updates to mitigate risks associated with such vulnerabilities.
Why This Matters Now
The 'SessionReaper' vulnerability is actively being exploited, with reports of over 250 attack attempts targeting multiple stores in a single day. (helpnetsecurity.com) This highlights the urgency for organizations to apply the available patches immediately to prevent potential data breaches and system compromises.
Attack Path Analysis
An unauthenticated attacker exploited the 'PolyShell' vulnerability in Magento's REST API to upload a malicious polyglot file, achieving remote code execution. This allowed the attacker to escalate privileges by executing arbitrary code on the server. Subsequently, the attacker moved laterally within the network to access other systems. They established a command and control channel to maintain persistent access. Sensitive customer and financial data were exfiltrated from the compromised systems. Finally, the attacker deployed malware to disrupt e-commerce operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the 'PolyShell' vulnerability in Magento's REST API to upload a malicious polyglot file, achieving remote code execution.
Related CVEs
CVE-2025-54236
CVSS 9.1A critical vulnerability in Adobe Commerce and Magento Open Source allows unauthenticated remote code execution due to improper input validation.
Affected Products:
Adobe Adobe Commerce – 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, 2.4.4-p15 and earlier
Adobe Magento Open Source – 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, 2.4.4-p15 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Upload Malware
Server Software Component: Web Shell
Command and Scripting Interpreter: PowerShell
Exploitation for Client Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Critical exposure to PolyShell RCE vulnerability targeting Magento e-commerce platforms, enabling unauthenticated code execution and account takeover attacks.
Computer Software/Engineering
High-risk web application vulnerability in Magento REST API file upload mechanism requires immediate patch deployment and security configuration updates.
Internet
E-commerce platforms face severe RCE threats through polyglot file uploads, demanding enhanced egress filtering and multicloud visibility controls.
Information Technology/IT
Web server misconfigurations expose critical file upload vulnerabilities, requiring zero trust segmentation and inline IPS threat detection capabilities.
Sources
- New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-storeshttps://www.bleepingcomputer.com/news/security/new-polyshell-flaw-allows-unauthenticated-rce-on-magento-e-stores/Verified
- Cal-CSIC Cyber Advisory: Critical Remote Code Execution in Adobe Commerce and Magento Open Sourcehttps://www.caloes.ca.gov/wp-content/uploads/Homeland-Security/Documents/Cyber-Advisories/Cal-CSIC-Cyber-Advisory-Critical-Remote-Code-Execution-in-Adobe-Commerce-Products.pdfVerified
- Sansec Research: Magento PolyShell Vulnerabilityhttps://sansec.io/research/magento-polyshellVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute arbitrary code on the server would likely be constrained, reducing the potential for privilege escalation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the potential for administrative access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the potential to access other systems and databases.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain a command and control channel would likely be constrained, reducing the potential for persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the potential for data loss.
The attacker's ability to deploy malware and disrupt operations would likely be constrained, reducing the potential for operational disruption.
Impact at a Glance
Affected Business Functions
- E-commerce Transactions
- Customer Data Management
- Order Processing
- Payment Processing
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of customer PII, including names, addresses, and payment information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Web Application Firewalls (WAFs) to detect and block malicious file uploads.
- • Apply the latest security patches to Magento and Adobe Commerce platforms promptly.
- • Enforce Zero Trust Segmentation to limit lateral movement within the network.
- • Monitor for anomalous activities indicating potential command and control communications.
- • Conduct regular security assessments to identify and mitigate vulnerabilities.
