CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of critical SessionReaper flaw in Adobe Commerce and Magento Open Source

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

Adobe Commerce and Magento Open Source platforms are under active exploitation by hackers targeting the critical SessionReaper vulnerability (CVE-2025-54236). The flaw, with a CVSS score of 9.1, allows unauthenticated attackers to take control of customer accounts through the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Despite the patch, hundreds of exploitation attempts have been recorded, with many stores remaining unpatched. Adobe Commerce on Cloud customers are already protected by a WAF rule. The patch disables certain internal Magento functionalities, potentially affecting custom or external code. The vulnerability impacts multiple versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source, as well as the Custom Attributes Serializable module. Over 250 Magento stores were hit overnight as hackers exploited the flaw, with attacks originating from five specific IP addresses. The attacks involved dropping PHP webshells or probing phpinfo to extract PHP configuration information. Exploitation activity for SessionReaper began on October 23, 2025, coinciding with the release of a proof-of-concept exploit. The threat activity has extended to 97 different IP addresses, indicating multiple actors are running mass scanners. Sansec advises that the window for safe patching has effectively closed and expects mass exploitation within the next 48 hours.

Timeline

  1. 24.10.2025 00:25 1 articles · 23h ago

    Exploitation activity for SessionReaper begins with proof-of-concept exploit release

    Exploitation activity for SessionReaper began on October 23, 2025, coinciding with the release of a proof-of-concept exploit. The threat activity has extended to 97 different IP addresses, indicating multiple actors are running mass scanners. Sansec advises that the window for safe patching has effectively closed and expects mass exploitation within the next 48 hours. Initial payloads in attacks on CVE-2025-54236 featured PHP Web shells or phpinfo probes.

    Show sources
    Open in new tab
  2. 22.10.2025 21:41 3 articles · 2d ago

    Active exploitation of SessionReaper vulnerability in the wild

    The threat activity has extended to 97 different IP addresses, indicating multiple actors are running mass scanners. Initial payloads in attacks on CVE-2025-54236 featured PHP Web shells or phpinfo probes.

    Show sources
    Open in new tab
  3. 09.09.2025 18:53 4 articles · 1mo ago

    Adobe patches critical SessionReaper flaw in Magento eCommerce platform

    Exploitation activity for SessionReaper began on October 23, 2025, coinciding with the release of a proof-of-concept exploit. Sansec blocked more than 250 attempted attacks against multiple stores using its Magento-focused Sansec Shield Web application firewall (WAF). The threat activity has extended to 97 different IP addresses, indicating multiple actors are running mass scanners. Sansec advises that the window for safe patching has effectively closed and expects mass exploitation within the next 48 hours. Initial payloads in attacks on CVE-2025-54236 featured PHP Web shells or phpinfo probes.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Critical Adobe AEM Forms Misconfiguration

A critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier is under active exploitation. The flaw, CVE-2025-54253, allows arbitrary code execution via an exposed servlet. Adobe released a patch in August 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary fixes by November 5, 2025. The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025. The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation. This enables attackers to execute arbitrary system commands with a single crafted HTTP request. A proof-of-concept exploit is publicly available.

Open in new tab

Active Exploitation of Unpatched Gladinet and TrioFox Vulnerability

Active exploitation of an unpatched security flaw in Gladinet CentreStack and TrioFox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371.

Open in new tab

Active exploitation of authentication bypass in Service Finder WordPress theme

Threat actors are actively exploiting a critical vulnerability in the Service Finder WordPress theme, allowing them to bypass authentication and gain administrative access. The flaw, tracked as CVE-2025-5947, affects versions 6.0 and older and has been exploited since September 2025. The vulnerability is present in the Service Finder Bookings plugin bundled with the Service Finder theme. Over 13,800 exploitation attempts have been recorded since August 2025, with a surge of over 1,500 attempts daily in late September. The flaw affects over 6,100 customers using the theme. Administrators are advised to update to version 6.1 or stop using the theme to mitigate the risk.

Open in new tab

Critical Redis Lua Use-After-Free Vulnerability Exploitable for Remote Code Execution

A critical vulnerability in Redis, tracked as CVE-2025-49844 and dubbed "RediShell", allows authenticated attackers to achieve remote code execution on vulnerable instances. The flaw, a 13-year-old use-after-free weakness in the Redis Lua scripting engine, affects all versions of Redis and can be exploited to gain full access to the host system. Successful exploitation can lead to data exfiltration, encryption, or lateral movement within cloud environments. The vulnerability impacts approximately 330,000 exposed Redis instances, with around 60,000 of them not requiring authentication. Patches have been released in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, and administrators are urged to update their instances immediately. Additional patches have been released for versions 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131. Temporary workarounds include setting an access control list (ACL) to restrict EVAL and EVALSHA commands. The vulnerability was discovered and reported by cloud security company Wiz on May 16, 2025. The flaw was jointly disclosed by Redis and Wiz on October 3, 2025. There is no evidence that the vulnerability was exploited in the wild. The flaw exploits a use-after-free (UAF) memory corruption bug, allowing attackers to escape the Lua sandbox and achieve arbitrary code execution. Wiz recommended implementing Redis authentication and network access controls, and urged organizations to prioritize patching Redis instances exposed to the Internet.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances are vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit.

Open in new tab