Threat actors successfully exploited a serious authentication vulnerability to gain total system control, resulting in a critical security breach that exposed several Magento e-commerce platforms globally This article explores exploited authentication vulnerability. . One of the biggest waves of coordinated web server compromises in recent months, the attack campaign was discovered in January 2026 and affected hundreds of online retailers in various industries and geographical areas.

The core of this attack is a vulnerability called CVE-2025-54236, or SessionReaper, which permits unauthorized access by reusing session tokens that the Magento application failed to properly invalidate. Similar to digital keys, these session tokens are used to confirm a user's identity.

216 victim sites identified (Source – Oasis Security) When Magento fails to destroy these keys after users log out, attackers can intercept and replay them to gain access as legitimate administrators, bypassing all password protections and security measures. Oasis Security analysts discovered numerous separate intrusion incidents in which various threat actors used CVE-2025-54236 against Magento environments in different parts of the world, indicating that this vulnerability was widely known and weaponized. The research team found that attackers had conducted extensive system vulnerability scans, finding over 1,000 vulnerable Magento APIs and successfully gaining root-level administrative access to 200 websites.

Mechanism of infection The infection mechanism shows how attackers took full control of the victim's infrastructure by methodically exploiting this vulnerability.

Attackers elevated their privileges to obtain root access, the highest level of system control on Linux servers, after gaining initial access through session hijacking. They were able to use web shells—small scripts that give attackers remote command execution capabilities for continuous system manipulation and data theft—thanks to their persistence strategy. Evidence shows that compromised systems contained sensitive files displaying system user accounts and credentials, indicating thorough system exploration and potential data exfiltration.

The investigation found that distinct threat actors were using web shell deployment operations to target Magento sites in Canada and Japan, and that command and control infrastructure was operating out of Finland and Hong Kong.

1,460 vulneralbe APIs, success_api_2025.txt (Source – Oasis Security) The attackers maintained detailed logs of compromised websites and deployed shell paths, demonstrating organized operational security and systematic targeting strategies. Businesses using Magento need to fix this vulnerability right away and check their server logs for unusual session token usage. 404_key.txt is a structured log entry that contains victim URLs, deployed web shell paths, and control keys.

(Source: Oasis Security) The campaign's widespread reach highlights how crucial it is to provide timely security updates and ongoing oversight of e-commerce platforms that store sensitive customer and payment data. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.