Multiple independent intrusion campaigns targeting Magento e-commerce environments have resulted in the complete compromise of more than 200 websites worldwide. These attacks leverage a critical vulnerability tracked as CVE-2025-54236, also known as “SessionReaper.” The flaw allows threat actors to bypass authentication mechanisms by replaying improperly invalidated session tokens, leading to unauthorized account access and, in severe cases, root-level system takeover. 1,460 vulnerable APIs (Source: OASIS Security) The company that discovered these intrusions saw various threat actors using various infrastructures to take advantage of the flaw.

While one campaign focused on mass-scanning and retrieving sensitive system files, another focused on establishing persistent access via web shells. The simultaneous abuse of this flaw by unconnected groups highlights the urgent risk posed to unpatched Magento instances.

Because the server recognizes the token as still active, it grants the attacker access to the associated user’s session without requiring a password. When exploited against administrator accounts or API endpoints, this allows for total system control. Administrators managing Magento environments are advised to apply the latest security patches immediately to mitigate CVE-2025-54236.

Furthermore, given the prevalence of web shell deployment, a thorough audit of the webroot for unrecognized files and a review of access logs for suspicious IP addresses is recommended to ensure no persistent backdoors remain.