CVE-2025-54236

CRITICAL KEV NUCLEI LAB

Magento SessionReaper

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2025-54236 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 24, 2025. EIP tracks 7 public exploits from researchers including wubinworks, brito101, Jenderal92, including a Metasploit module exploits/multi/http/magento_sessionreaper. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a patch for CVE-2025-54236 (Session Reaper) in Magento 2, which allows customer account takeover and RCE under certain conditions. The patch is implemented as a Magento 2 extension and includes detailed technical analysis and mitigation code.

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

Exploits (7)

nomisec WRITEUP 1 stars
by wubinworks · poc
https://github.com/wubinworks/magento2-session-reaper-patch

This repository provides a patch for CVE-2025-54236 (Session Reaper) in Magento 2, which allows customer account takeover and RCE under certain conditions. The patch is implemented as a Magento 2 extension and includes detailed technical analysis and mitigation code.

Classification
Writeup 95%
Attack Type
Rce | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Magento 2.3, 2.4
No auth needed
Prerequisites: Access to Magento 2 instance · Ability to send crafted requests to the Web API
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by brito101 · remote
https://github.com/brito101/session_reaper_lab

This repository contains a functional exploit for CVE-2025-54236, targeting a PHP object deserialization vulnerability in Magento 2 / Adobe Commerce. The exploit leverages multiple deserialization vectors to achieve remote code execution by manipulating session storage paths and uploading malicious serialized session files.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Magento 2 / Adobe Commerce
No auth needed
Prerequisites: File-based session storage enabled · Access to /customer/address_file/upload endpoint
devstral-2 · analyzed May 25, 2026 Full analysis →
nomisec WORKING POC
by Jenderal92 · poc
https://github.com/Jenderal92/magento-upload-auto-submit-zoneh

This repository contains a functional exploit for CVE-2025-54236, targeting a file upload vulnerability in Magento. The script automates the upload of a text file to a vulnerable endpoint and verifies its accessibility, demonstrating unauthorized file upload capabilities.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Magento (version not specified)
No auth needed
Prerequisites: Target Magento instance with vulnerable endpoint · Network access to the target
devstral-2 · analyzed May 13, 2026 Full analysis →
nomisec WORKING POC
by alexb616 · remote
https://github.com/alexb616/SessionReaper-CVE-2025-54236

This repository contains a functional Python PoC for CVE-2025-54236, a PHP object deserialization vulnerability in Magento 2 / Adobe Commerce leading to unauthenticated RCE. It implements three distinct deserialization vectors via REST API endpoints to exploit improper input validation in ServiceInputProcessor.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Magento 2 / Adobe Commerce
No auth needed
Prerequisites: file-based session storage · access to /customer/address_file/upload endpoint
devstral-2 · analyzed Mar 20, 2026 Full analysis →
nomisec WORKING POC
by Baba01hacker666 · remote
https://github.com/Baba01hacker666/cve-2025-54236

This repository contains a functional exploit for CVE-2025-54236, targeting a deserialization vulnerability in Magento 2.4.x/Adobe Commerce. The exploit leverages a Monolog gadget chain to achieve remote code execution (RCE) via crafted input in the 'region' or 'extension_attributes' fields of a guest cart request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Magento 2.4.x / Adobe Commerce
No auth needed
Prerequisites: PHP installed for payload generation · Target running vulnerable Magento version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by amalpvatayam67 · poc
https://github.com/amalpvatayam67/day01-sessionreaper-lab

This repository contains a functional exploit PoC for CVE-2025-54236, demonstrating improper validation of nested JSON leading to remote command execution. The exploit leverages a vulnerable PHP API endpoint that processes nested JSON input without proper sanitization, allowing arbitrary command execution via the 'payload.cmd' field.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Custom educational PHP application (simulating CVE-2025-54236)
No auth needed
Prerequisites: Docker environment to run the vulnerable application · Network access to the target application
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Blaklis, Tomais Williamson · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/magento_sessionreaper.rb

This Metasploit module exploits CVE-2025-54236, a critical unauthenticated RCE vulnerability in Magento/Adobe Commerce via deserialization and file upload. It chains unauthenticated session file upload with REST API manipulation to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Magento/Adobe Commerce 2.x
No auth needed
Prerequisites: File-based session storage enabled · Unauthenticated access to /customer/address_file/upload endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Adobe Commerce - Authentication Bypass
CRITICALVERIFIEDby DhiyaneshDK,slcyber,johnk3r
Shodan: X-Magento-Tags

References (4)

Core 4

Scores

CVSS v3 9.1
EPSS 0.7215
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull lab-magento-php:8.2
docker pull elasticsearch:7.17.14
+4 more repos

Details

CISA KEV 2025-10-24
VulnCheck KEV 2025-10-21
ENISA EUVD EUVD-2025-27277
CWE
CWE-20
Status published
Products (4)
adobe/commerce 2.4.4 (16 CPE variants)
adobe/commerce 2.4.5 (15 CPE variants)
adobe/commerce 2.4.6 (13 CPE variants)
adobe/commerce 2.4.7 (6 CPE variants)
Published Sep 09, 2025
KEV Added Oct 24, 2025
Tracked Since Feb 18, 2026