Attackers Hijack 200+ Sites by Exploiting Magento Vulnerability

By Lucas Martin, January 30, 2026

Introduction

In a significant cybersecurity breach, attackers have compromised over 200 websites globally by exploiting a critical vulnerability in the Magento e-commerce platform. This vulnerability, tracked as CVE-2025-54236 and referred to as “SessionReaper,” allows threat actors to bypass authentication mechanisms, leading to unauthorized access and, in some cases, complete control over the affected systems.

The Vulnerability: CVE-2025-54236

The core issue with CVE-2025-54236 lies in the improper handling of session termination by the Magento platform. Under certain conditions, session tokens are not adequately invalidated after use or logout. This flaw enables attackers to capture valid session tokens and replay them, granting unauthorized access to user sessions without requiring a password.

Mass Exploitation and Root Compromise

Recent investigations have revealed multiple independent intrusion campaigns targeting Magento environments. One of the most aggressive campaigns originated from a command-and-control (C2) infrastructure based in Finland. This group conducted extensive scans to identify vulnerable Magento Commerce APIs, successfully cataloging over 1,460 vulnerable APIs in a file named success_api_2025.txt.

Impact of the Attacks

Analysis confirmed that at least 216 websites were fully compromised. The attackers escalated their privileges, gaining root access on the host servers. Evidence of this deep compromise was found in the exfiltration of sensitive files, such as /etc/passwd, from the victim systems. This indicates that the attackers had unrestricted access to the underlying operating system, allowing them to potentially steal customer payment data, modify site code, or pivot to other connected systems within the network.

Distinct Campaigns Observed

A second campaign was identified, specifically targeting Magento environments in Canada and Japan. This operation utilized C2 infrastructure located in Hong Kong and focused on establishing persistent access rather than immediate data exfiltration. The attackers exploited the SessionReaper vulnerability to upload web shells to the victim servers, granting them long-term control over the compromised sites.

Web Shell Deployment

The deployment of web shells transforms a temporary vulnerability exploitation into a persistent security incident. Even if the original vulnerability is patched, the web shells allow attackers to maintain access, execute arbitrary commands, and modify files at will. Logs recovered from the adversary’s infrastructure revealed successful uploads of malicious scripts, meticulously structured to list victim URLs alongside the specific paths where the web shells were deployed.

Recommendations for Magento Users

Administrators managing Magento environments are strongly advised to apply the latest security patches immediately to mitigate the risks associated with CVE-2025-54236. Additionally, a thorough audit of the webroot for unrecognized files and a review of access logs for suspicious IP addresses is recommended to ensure that no persistent backdoors remain.

Conclusion

The exploitation of the SessionReaper vulnerability highlights the urgent need for website administrators to maintain up-to-date security protocols and to remain vigilant against potential threats. The combination of unauthorized access and the ability to deploy persistent web shells poses a significant risk to e-commerce operations globally.

Frequently Asked Questions

Note: Cybersecurity is an ongoing challenge, and staying informed about vulnerabilities and best practices is essential for protecting online assets.