SESSIONREAPER , a CVE-2025-54236 exploitation campaign, is targeting Magento stores with a flaw that allows attackers to bypass authentication and gain root-level control. According to Oasis Security, the campaign is an aggressive mass exploitation operation, with more than 1,000 vulnerable Magento Commerce APIs identified and hundreds of victims already experiencing full system compromise.
In one documented case, large-scale exploitation led to the compromise of 200+ websites worldwide and root-level access, enabling actions such as data theft, ransomware deployment, or lateral movement. Attackers are also noted to deploy web shells on Magento sites in Canada and Japan to maintain persistence, even after patches are applied.
Oasis Security’s report also points to active C2 infrastructure and a specific Finnish IP address, 93.152.230[.]161, associated with the operation, and warns that 1,460 APIs are vulnerable to CVE-2025-54236 exploitation, underscoring the need for urgent patching of Magento installations.