pentest-tools.comOct 31

👻 This Halloween, make sure *you* haunt vulnerabilities - not the other way around. 😈

October updates are here, and they’re a real treat for security teams.

Check out the new powers you can use to keep monsters out:
🕸️ Catch 2 new RCEs before attackers do (Fortra GoAnywhere & SolarWinds).
🎯 Validate #SessionReaper safely with Sniper: Auto-Exploiter.
☁️ Scan private Azure environments securely with our new VPN Agent.
📁 Download multiple reports in one go (no more manual horrors).
📚 See how we help MSPs, consultants & internal teams - and hear it from them if we do a good job (or not).

https://youtu.be/F8E5H0oO-pk

🍭 Check the changelog for the full basket: https://pentest-tools.com/change-log

#cybersecurity #vulnerabilitymanagement #offensivesecurity #azure

Marcel SIneM(S)USOct 26
Angreifer attackieren kritische Lücke in #AdobeCommerce und #Magento | Security https://www.heise.de/news/Angreifer-attackieren-kritische-Luecke-in-Adobe-Commerce-und-Magento-10845752.html #SessionReaper #Adobe #AdobeMagento #Patchday
Angreifer attackieren kritische Lücke in Adobe Commerce und Magento

Im September hat Adobe Updates für Commerce und Magento veröffentlicht, die eine kritische Lücke schließen. Die wird nun angegriffen.

heise online
pentest-tools.comOct 23

🏴‍☠️ We built a #SessionReaper (CVE-2025-54236) exploit against Magento 2 & Adobe Commerce and documented the *full* hunt 🔦 — from repo diffs and endpoint discovery to a lab-tested PoC and Sniper automation.

If you research or defend e-commerce apps, this one’s practical: reproducible steps, debug tips, and what to look for on your instances.

Read the full breakdown and PoC by Matei "Mal" Badanoiu (aka CVE Jesus) & David Bors! 👉 https://pentest-tools.com/blog/sessionreaper-cve-2025-54236-exploit

Show thread decioOct 23

⚠️ "Six semaines après le correctif d’urgence d’Adobe pour #SessionReaper (CVE-2025-54236), la vulnérabilité est entrée dans une phase d’exploitation active."

➡️ Selon Sansec Seuls 38 % des sites #Magento sont à jour — 3 sur 5 restent vulnérables à une exécution de code à distance

Détails techniques et timeline complète sur le blog de Sansec.
👇
https://sansec.io/research/sessionreaper-exploitation

Article FR
👇
https://infosec.pub/post/36573308

Analyse technique / dff du patch
👇
https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/

Détails (G)CVE
👇
https://cve.circl.lu/vuln/CVE-2025-54236

#CyberVeille #CVE_2025_54236

SessionReaper attacks have started, 3 in 5 stores still vulnerable

Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. Sansec Shield blocked dozens of attacks today. With ...

Sansec
The DefendOps DiariesOct 22

A dangerous flaw in Adobe Commerce lets hackers hijack customer sessions with zero effort—and 60% of Magento stores are still unpatched. Is your business vulnerable?

https://thedefendopsdiaries.com/understanding-and-responding-to-the-sessionreaper-vulnerability-in-adobe-commerce/

#sessionreaper
#adobecommerce
#magento
#cve202554236
#ecommercesecurity

HostvixSep 11, 2025

🚨 Critical Magento & Adobe Commerce Flaw (CVE-2025-54236 – SessionReaper) 🚨

Impact: Customer account takeover + unauthenticated remote code execution (CVSS 9.1 Critical).

👉 Full details and action steps: https://hostvix.com/sessionreaper-critical-magento-adobe-commerce-vulnerability-cve-2025-54236/

#Magento #AdobeCommerce #SessionReaper #CVE202554236 #CVE #Infosec #CyberSecurity #AppSec #WebSecurity #SecOps #BlueTeam #RedTeam #ThreatIntel #Vulnerability #PatchNow #ZeroDay #Exploit #EcommerceSecurity #DataSecurity #SecurityUpdate

SessionReaper: Critical Magento & Adobe Commerce Vulnerability (CVE-2025-54236) - Hostvix

Adobe Commerce and Magento Open Source have been hit by a vulnerability called SessionReaper (CVE-2025-54236). This bug allows attackers not only to take over customer accounts but also — under certain conditions — to execute malicious code remotely. Sansec Forensics, who analyzed the issue, warn that this vulnerability is among the most severe in Magento’s...

Hostvix
securityaffairsSep 10, 2025
Critical flaw #SessionReaper in Commerce and #Magento platforms lets attackers hijack customer accounts
https://securityaffairs.com/182075/security/critical-flaw-sessionreaper-in-commerce-and-magento-platforms-lets-attackers-hijack-customer-accounts.html
#securityaffairs #hacking #adobe
Critical flaw SessionReaper in Commerce and Magento platforms lets attackers hijack customer accounts

Adobe fixed a critical flaw in its Commerce and Magento Open Source platforms that allows an attacker to take over customer accounts.

Security Affairs
The DefendOps DiariesSep 9, 2025

Adobe Commerce is under threat—a new flaw, SessionReaper, lets hackers hijack live sessions like an open front door. Learn why immediate patching is crucial to keep your eCommerce safe.

https://thedefendopsdiaries.com/understanding-and-mitigating-the-sessionreaper-vulnerability-in-adobe-commerce/

#sessionreaper
#adobecommerce
#magento
#cybersecurity
#vulnerability

Show threadJoseph Leedy Sep 9, 2025

Mage-OS 1.3.1 has just been released with this patch included.

https://mage-os.org/releases/mage-os-1-3-1-is-out/

#AdobeCommerce #Magento #MageOS #Infosec #Security #SessionReaper

Mage-OS 1.3.1: Important security update - Mage-OS

This release is based on Magento 2.4.8-p2 and adds an important security patch.

Mage-OS
Show threadJoseph Leedy Sep 9, 2025

Additional information from Sansec, who has nicknamed this vulnerability "SessionReaper":

https://sansec.io/research/sessionreaper

#AdobeCommerce #Magento #MageOS #Infosec #Security #SessionReaper

SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236)

Adobe released an out-of-band emergency patch for SessionReaper (CVE-2025-54236). The bug may hand control of a store to unauthenticated attackers. Automated...

Sansec