Magento Input Validation Vulnerability Exploited In Wild To Hijack Session And Execute Malicious Codes

A critical vulnerability in Magento, the popular e-commerce platform, is now rebranded as Adobe Commerce. Dubbed SessionReaper and tracked as CVE-2025-54236, this improper input validation flaw allows attackers to hijack user sessions and, in some cases, execute malicious code remotely.

The discovery highlights the ongoing risks to online retailers, with over 250 Magento stores reportedly compromised overnight as threat actors ramp up their efforts ahead of the holiday shopping season.

The vulnerability came to light on September 9, 2025, when Adobe issued an emergency security bulletin with patches to address it.

At the time, the flaw was rated critical due to its potential for unauthorized access. However, the situation escalated dramatically on October 22, when researchers at Sansec publicly released a proof-of-concept exploit.

This triggered a surge in attack attempts, transforming a theoretical risk into a widespread threat. Magento’s dominance in the e-commerce space, powering thousands of online stores worldwide, makes it a prime target, especially given its track record of high-profile vulnerabilities that have lured cybercriminals in the past.

The SessionReaper Vulnerability

At its core, SessionReaper stems from inadequate validation of user inputs in Magento’s authentication mechanisms. Attackers can manipulate session data to impersonate legitimate users, gaining control over admin panels or customer accounts without credentials.

More alarmingly, advanced exploitation techniques demonstrated in the public proof-of-concept enable unauthenticated remote code execution (RCE).

This could let intruders upload malicious scripts directly to servers, potentially stealing sensitive data like payment information or installing backdoors for long-term access.

The vulnerability affects multiple versions of Adobe Commerce and Magento Open Source, including those that have not yet received the latest patches.

Its CVSS score of 9.8 underscores the severity: high impact on confidentiality, integrity, and availability, with no privileges required for initial access.

E-commerce operators running unpatched systems face immediate risks, as attackers need only a crafted request to initiate the hijack.

Mitigations

Akamai’s security team detected the first waves of exploitation shortly after the proof-of-concept surfaced.

In just 48 hours starting October 22, attackers launched over 300 probes against more than 130 unique hosts, originating from 11 distinct IP addresses.

These included sophisticated payloads like web shells, malicious scripts that grant persistent server control, and basic reconnaissance tools such as phpinfo queries to map server environments or echo commands to test injection success.

Fortunately, Akamai’s Adaptive Security Engine, part of its App & API Protector suite, has been blocking these attempts by default. Existing rules, such as those targeting PHP web shell uploads, have neutralized threats without customer intervention.

The company’s Security Intelligence Group continues to monitor developments, refining protections as new tactics emerge.

Experts emphasize that while web application firewalls like Akamai’s provide a crucial layer of defense, the most reliable safeguard remains applying Adobe’s patches promptly.

With Magento’s vast user base, unpatched sites could become easy prey for ransomware or data theft campaigns. Organizations should scan their environments immediately, update to the latest versions, and enable robust input validation to thwart SessionReaper and similar flaws.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.