Magento Flaw Lets Hackers Hijack Sessions, Run Code
Security researchers at Akamai have issued an urgent alert following the discovery of active attacks targeting a critical Magento flaw that lets hackers take over user sessions and execute remote code without authentication. Tracked as CVE-2025-54236 and dubbed “SessionReaper,” the vulnerability allows attackers to hijack sessions and gain high-level access to Magento-based online stores.
Akamai’s Security Intelligence Group observed live exploitation of the flaw in the wild, raising concerns of widespread compromise among unpatched systems. The Magento flaw lets hackers bypass authentication mechanisms, giving them direct control over vulnerable servers. Threat actors are reportedly leveraging this weakness to deploy remote code and steal sensitive data.
In addition to CVE-2025-54236, researchers flagged five other vulnerabilities this week, including CVE-2025-62725, CVE-2025-12080, CVE-2025-11371, CVE-2025-54253, and CVE-2025-27915. Organizations running Magento should apply available patches immediately to mitigate risk.
For full technical details and mitigation steps, read the official report here: