Over 200 Magento Stores Compromised In Rootkit Rampage via Zero-Day Exploit

In a recent surge of cyberattacks, over 200 Magento e-commerce stores have fallen victim to a significant security breach, exploiting a zero-day vulnerability identified as CVE-2025-54236, also known as “SessionReaper.” This vulnerability has allowed attackers to bypass authentication mechanisms by reusing invalid session tokens, resulting in session hijacking and full server takeovers.

The Attack Overview

Researchers have reported multiple intrusion campaigns targeting Magento sites globally, with more than 200 stores suffering root-level compromises. The attackers systematically scanned and targeted 1,460 vulnerable Magento Commerce APIs, compiling a list of potential victims in a file named “success_api_2025.txt.” From this list, they successfully breached 216 websites, gaining unauthorized access to sensitive files that mimic the /etc/passwd listings, revealing user accounts and confirming root access.

Details of the Exploit

The campaign was orchestrated through a command-and-control (C2) infrastructure located at IP address 93.152.230.161, hosted in Finland. This setup was used for mass scanning and exploitation of the vulnerable APIs, turning them into entry points for the attackers. The scale of the operation was alarming; the attackers did not merely probe the systems but methodically rooted them, likely deploying rootkits to maintain persistent access.

Separate Attacks in Canada and Japan

In addition to the global campaign, distinct operations were reported in Canada and Japan, where attackers also exploited the CVE-2025-54236 flaw. In these cases, web shells were uploaded to the compromised sites, allowing for ongoing access. The C2 traffic for these operations flowed through an IP address in Hong Kong (115.42.60.163). Logs from these attacks, found in files like “404_key.txt” and “key.txt,” detailed victim URLs, shell paths, and control keys, indicating successful uploads across multiple sites.

Impact of the Vulnerability

CVE-2025-54236 affects unpatched versions of Magento Commerce, scoring high on the Common Vulnerability Scoring System (CVSS) due to its authentication bypass capabilities leading to remote code execution (RCE). The vulnerability’s impact is significant, as it allows attackers to gain root access, deploy web shells, and steal sensitive data. The following table summarizes the scope of the flaw:

Recommendations for Magento Users

Magento users are urged to take immediate action to mitigate the risks associated with this vulnerability. Adobe has issued patches that should be applied promptly via composer updates. Additionally, users should:

• Scan for Indicators of Compromise (IOCs) and monitor for C2 IPs: 93.152.230.161 and 115.42.60.163.
• Check server logs for signs of anomalous session reuse.
• Enforce strict session invalidation and implement token binding to enhance security.
• Utilize Web Application Firewall (WAF) rules to block patterns associated with CVE-2025-54236.
• Conduct audits on APIs to limit exposure and reduce vulnerabilities.

Conclusion

This recent wave of cyberattacks highlights the urgent need for Magento users to patch their systems and remain vigilant against evolving threats. With over 200 confirmed root compromises, unmitigated sites are at imminent risk. Oasis Security emphasizes the importance of proactive measures to safeguard against such vulnerabilities.

Frequently Asked Questions

Note: The information provided in this article is intended for educational purposes and should not be considered as professional advice. Always consult with a cybersecurity expert for specific guidance related to your situation.