Last week on Malwarebytes Labs:

• Is AI moving faster than its safety net?
• Thousands of online stores at risk as SessionReaper attacks spread
• Apple may have to open its walled garden to outside app stores
• Meta boosts scam protection on WhatsApp and Messenger
• Home Depot Halloween phish gives users a fright, not a freebie
• Zero-click Dolby audio bug lets attackers run code on Android and Windows devices
• Windows update breaks USB support in recovery mode
• You can poison AI with just 250 dodgy documents
• What does Google know about me? (Lock and Code S06E21)
• Chinese gangs made over $1 billion targeting Americans with scam texts

Stay safe!

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Six weeks after Adobe shipped an emergency fix, attackers have begun weaponizing SessionReaper — and most Magento stores still stand exposed.

Security firm Sansec’s forensics team said it blocked hundreds of real-world exploitation attempts of the SessionReaper bug as proof-of-concept code and a technical write-up circulated publicly. For those who still have not patched this bug, Its a critical warning that widespread abuse would follow.

What is SessionReaper Bug

SessionReaper (CVE-2025-54236) is an unauthenticated, remote-code-execution flaw in Adobe Commerce / Magento that stems from nested deserialization in admin-facing functionality. Assetnote published the technical analysis that demonstrated how an attacker could craft requests to trigger object deserialization and run arbitrary PHP — a straight path to web shells and full shop takeover. With exploit details now public, Sansec researchers said the window for safe patching had effectively closed.

Sansec researchers reported that only 38% of Magento stores had applied Adobe’s patch six weeks after disclosure, leaving roughly 62% vulnerable to automated scans and commodity exploit tooling. They also confirmed of blocking more than 250 exploitation attempts in a single day and observed initial payloads that delivered PHP webshells or phpinfo probes. The company published an initial set of attacker source IPs to help defenders triage incoming traffic.

Also read: Adobe Issues Urgent Patch for ‘SessionReaper’ Vulnerability in Commerce and Magento

Attackers Exploited Familiar eCommerce Playbook

Researchers said the flow of the attack is not novel and has been observed earlier. The attackers scanned the web for reachable admin consoles, sent crafted HTTP requests to the vulnerable endpoint and dropped webshells to persist and pivot.

Sansec compared SessionReaper’s potential impact to previous mass-compromise flaws such as Shoplift (2015) and CosmicSting (2024), both of which spawned waves of site-wide infections and payment-card skimming campaigns. With automated exploit scanners and proof-of-concept code circulating, researchers expect mass compromise within hours of public analysis.

The defensive checklist that the researchers suggested remains simple but urgent. They urged store owners to deploy the vendor patch or upgrade to the latest security release immediately; to activate a web application firewall (WAF) if they cannot patch right away; and to run a thorough compromise scan for indicators such as unexpected PHP webshells, new files in webroot and suspicious scheduled tasks. They also advised searching logs for the IPs it observed to identify probing activity.

The warning held particular weight because of the way ecommerce platforms amplify risk. Magento and Adobe Commerce sit at the intersection of payments, customer PII and third-party plugins. A single compromised admin console can let an attacker replace checkout pages, inject payment skimmers, and harvest credit-card data at scale. Attackers historically monetized these compromises rapidly, either by installing Magecart skimmers or building backend access for long-running fraud operations. Sansec’s timeline explicitly linked SessionReaper to that same class of high-impact supply-chain abuse.

The SessionReaper episode offered two broader lessons. First, critical-path fixes for internet-facing infrastructure must move faster than the adversary’s ability to automate; Adobe’s patch arrived, but adoption lagged dangerously. Second, ecommerce operators needed layered controls. Patching alone would stop exploitation, but WAFs, hardened deployment practices, privilege separation and continuous file-integrity monitoring buy time when immediate patching proves difficult.

Also read: Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products

Early September, a security researcher uncovered a new vulnerability in Magento, an open-source e-commerce platform used by thousands of online retailers, and its commercial counterpart Adobe Commerce. It sounds like something straight out of a horror movie: SessionReaper. Behind the cinematic name hides a very real and very dangerous remote code execution flaw, tracked as CVE-2025-54236. It allows attackers to hijack live customer sessions—and, in some setups, even take full control of the server that runs the store.

SessionReaper lives in a part of Magento that handles communication between the store and other services. The bug stems from improper input validation and unsafe handling of serialized data. In plain terms, Magento sometimes trusts data that no web application ever should. This lets an attacker trick the system into accepting a specially crafted “session” file as a legitimate user login—no password required.

What they can do with that login depends on how the store is configured, but researchers at SecPod warn:

“Successful exploitation of SessionReaper can lead to several severe consequences, including security feature bypass, customer account takeover, data theft, fraudulent orders, and potentially remote code execution.”

Session-stealers like this one mean a compromised store can quietly expose a shopper’s personal details, order information, or payment data to attackers. In some cases, criminals inject “skimmer” code that harvests card details as you type them in or reroutes you to phishing sites designed to look like legitimate checkouts.

A patch for the vulnerability was released on September 9, but six weeks later, roughly 62% of Magento stores reportedly remain unpatched. After someone published a proof-of-concept (PoC), cybercriminals quickly built working exploits and attacks are now spreading fast. So, while SessionReaper isn’t malware a shopper can “catch” directly, it can turn even trusted stores into possible data-theft traps until the site owners patch.

Researchers at Sansec, whose sensors monitor e-commerce attacks worldwide, report seeing more than 250 Magento stores compromised within 24 hours of the exploit code going public.

How consumers can stay safe

Web store owners should patch their Magento sites immediately. Unfortunately, regular shoppers have almost no way to tell whether a store is still vulnerable or already secured.

From a consumer’s point of view, SessionReaper is another reminder that even trusted stores can quietly become unsafe between page loads. When a platform as widespread as Magento is under active attack, the best defense often lies outside the store itself.

• Watch out for odd behavior on a site or missing valid HTTPS, and don’t enter payment or personal data if something seems suspicious.
• Where possible, opt for checkout options that use third-party gateways (like PayPal), as they’re isolated from the store’s servers.
• Report suspicious e-commerce behavior to the site operator or your payment provider straight away.
• Shop on reputable sites whenever you can, or check the reviews and reputation of any new sellers before buying.
• Make sure your operating system, browser, and anti-malware software are up to date to protect against the latest threats.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.