A severe authentication vulnerability in Magento, tracked as CVE-2025-54236 and dubbed “SessionReaper,” has led to the compromise of over 200 e-commerce websites. Attackers exploited this flaw to gain root-level access, hijacking systems and potentially exfiltrating sensitive customer data. The widespread attack campaign, identified in January 2026, highlights a significant ongoing threat to online retailers relying on the popular Magento platform.
Security researchers at Oasis Security have identified multiple independent intrusion incidents demonstrating the global reach and weaponization of this critical flaw. The vulnerability allows attackers to reuse uninvalidated session tokens, effectively bypassing authentication mechanisms and enabling unauthorized administrative control over Magento stores. This has resulted in a coordinated wave of web server compromises impacting various industries and geographical regions.
Exploiting Magento Vulnerabilities for Root Access
The core of the ongoing attack campaign hinges on the exploitation of CVE-2025-54236, a severe authentication flaw present in Magento. This vulnerability, known as SessionReaper, enables attackers to gain unauthorized access by leveraging seemingly legitimate, yet improperly invalidated, session tokens. These tokens act as digital keys that authenticate user sessions. When the Magento application fails to properly invalidate these tokens after a user logs out, attackers can intercept and replay them to impersonate legitimate administrators, circumventing all password protection and security measures.
Oasis Security analysts observed distinct threat actors engaging in these attacks across different regions, indicating a widespread understanding and exploitation of the SessionReaper vulnerability. Their research revealed a massive scanning effort by attackers targeting vulnerable Magento APIs. This reconnaissance phase identified over 1,000 vulnerable APIs, ultimately leading to the successful compromise of 200 websites, granting attackers complete root-level administrative control.
Infection Mechanism and Persistence Tactics
The infection mechanism employed by attackers involves a systematic approach to gaining and maintaining control over compromised Magento infrastructure. Following the initial breach through session hijacking, attackers escalated their privileges to achieve root access, the highest level of system control on Linux servers. This escalation is a critical step for establishing persistence and enabling further malicious activities.
Once root access was achieved, attackers deployed web shells, which are essentially backdoors that provide remote command execution capabilities. This allows for ongoing system manipulation, data exfiltration, and the establishment of a more permanent presence. Evidence from compromised systems, including sensitive files detailing system user accounts and credentials, suggests thorough system exploration and a high likelihood of data theft.
The investigation uncovered command and control (C2) infrastructure operating from Finland and Hong Kong. Intriguingly, separate threat actors were identified conducting web shell deployment operations specifically targeting Magento sites in Canada and Japan. This indicates a degree of compartmentalization among attacker groups, yet a shared objective of exploiting the Magento vulnerability.
Moreover, the attackers maintained meticulously organized logs. These logs detailed compromised websites, the specific paths where web shells were deployed, and control keys used for access. This level of detail demonstrates sophisticated operational security and systematic targeting strategies, suggesting these are not opportunistic attacks but well-planned operations.
Organizations utilizing Magento are strongly advised to immediately patch this vulnerability and conduct thorough audits of their server logs for any signs of suspicious session token activity. The pervasive nature of this campaign underscores the critical importance of timely security updates and continuous monitoring of e-commerce platforms. These platforms often host valuable customer data and payment information, making them prime targets for cybercriminals.
The ongoing exploitation of the SessionReaper vulnerability suggests that it may continue to be a significant threat to Magento users until all vulnerable systems are secured. The lack of immediate patching could lead to further compromises and potential data breaches, impacting both businesses and their customers. The next expected steps involve continued efforts by security researchers to track attacker infrastructure and by Magento administrators to implement recommended security patches and hardening measures.