Listen to this Post
A wave of sophisticated cyberattacks has shaken Magento e-commerce platforms worldwide, leaving over 200 sites fully compromised. These intrusions exploit a critical vulnerability, CVE-2025-54236—dubbed “SessionReaper”—that allows attackers to bypass authentication by replaying session tokens that should have been invalidated. Threat actors are now able to gain unauthorized access to user accounts, escalate privileges, and even take full control of underlying servers. The simultaneous targeting of Magento by multiple, independent adversaries underscores the urgent need for system administrators to patch affected environments immediately.
Summary of the Incident
Security researchers have identified multiple intrusion campaigns exploiting the SessionReaper vulnerability in Magento Commerce systems. The flaw stems from improper session token invalidation, allowing attackers to reuse tokens to hijack sessions, including those of administrators. Once inside, the attackers can escalate privileges to root, effectively taking over the host system.
One of the most aggressive campaigns originated from a C2 (command-and-control) infrastructure based in Finland. This operation involved mass scanning Magento Commerce APIs, successfully identifying 1,460 vulnerable endpoints. Attackers meticulously cataloged these targets, and at least 216 sites were fully compromised, with exfiltration of critical system files like /etc/passwd proving unrestricted access to the server OS. The attackers could have stolen sensitive customer information, modified website code, or moved laterally within connected networks.
A second campaign targeted Magento sites in Canada and Japan, using a Hong Kong-based C2 infrastructure. Instead of immediate data theft, this campaign focused on persistence by deploying web shells, allowing long-term access even after patching. Logs recovered from the attackers’ servers documented successful uploads of malicious scripts, control keys, and exact web shell paths, highlighting a methodical and structured operation.
The core of SessionReaper lies in Magento’s session handling. Under certain conditions, session tokens are not properly invalidated after logout or usage. Attackers exploit this by capturing valid tokens and replaying them, granting unauthorized access without passwords. When administrative accounts or APIs are compromised, the attackers can execute remote code and take root-level control.
Administrators are strongly advised to apply the latest security patches immediately. In addition, a thorough audit of webroot directories for unknown files and careful examination of server logs for suspicious IP activity is essential to detect and remove persistent web shells.
Feature Detail
CVE ID CVE-2025-54236
Alias SessionReaper
Vulnerability Type Authentication Bypass / Session Replay
Affected Software Magento Commerce
Attack Vector Improper Session Invalidation
Impact Account Takeover, RCE, Root Compromise
Severity Critical
What Undercode Say:
The Magento SessionReaper incident highlights a systemic risk in e-commerce platforms where session management flaws can lead to catastrophic consequences. The multi-nation, multi-campaign attacks reveal a worrying trend: attackers are not only exploiting vulnerabilities for immediate gains but are also ensuring long-term access via web shells. This dual strategy—quick compromise followed by persistent access—demonstrates a high level of operational sophistication.
Administrators should recognize that the risk is not limited to the initial vulnerability. Once web shells are deployed, patching the system alone may not remove an attacker’s foothold. Full remediation requires active hunting for malicious scripts, credential harvesting indicators, and unusual outbound connections.
The scale of the attacks—over 1,400 identified vulnerable APIs—demonstrates how automation enables attackers to target large populations of sites efficiently. This raises broader concerns about supply chain security: compromised Magento instances could serve as stepping stones to attack third-party systems integrated with these e-commerce sites.
The structure and logging of these campaigns also suggest that attackers are tracking success methodically, which could allow them to refine techniques for future campaigns. This pattern underscores the importance of continuous monitoring, advanced intrusion detection systems, and proactive patching policies.
Security teams should also consider segmentation and privilege restrictions to mitigate the impact if an administrative account is compromised. Limiting API access, isolating sensitive environments, and enforcing token invalidation policies would reduce the potential for root-level takeovers.
Ultimately, SessionReaper shows that even widely-used platforms with mature security frameworks are highly vulnerable when session management flaws exist. Organizations that ignore the issue risk long-term operational, financial, and reputational damage.
Fact Checker Results:
✅ The CVE-2025-54236 vulnerability is real and classified as critical.
✅ Multiple independent campaigns exploiting this flaw have been documented by security firms.
❌ No evidence currently suggests that all Magento instances worldwide are affected—only unpatched systems are vulnerable.
Prediction:
⚠️ Expect a surge in automated attacks targeting unpatched Magento environments in the next 3–6 months.
💥 Attackers are likely to expand their campaigns globally, exploiting the dual approach of immediate compromise and long-term persistence.
🔒 Organizations that proactively patch and audit their systems may significantly reduce the risk, but failure to act could lead to large-scale e-commerce breaches with major financial impact.
If you want, I can also create a visual diagram showing the attack flow and web shell persistence strategy to make this article more engaging and easier to understand. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
