Skip to content

Add Magento SessionReaper (CVE-2025-54236) exploit module #20725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Chocapikk wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Add Magento SessionReaper (CVE-2025-54236) exploit module #20725

Chocapikk wants to merge 9 commits into from
+670 −0

Conversation

@Chocapikk
Copy link
Contributor

@Chocapikk Chocapikk commented Nov 24, 2025
edited
Loading

Hello Metasploit Team,

This PR adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution.

The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint. The exploit chain consists of:

  1. Uploading a malicious PHP session file containing a Guzzle/FW1 deserialization payload via the unauthenticated /customer/address_file/upload endpoint
  2. Triggering deserialization by sending a crafted JSON payload to the REST API endpoint /rest/default/V1/guest-carts/{cart_id}/order that modifies the session savePath to point to the uploaded file
  3. Executing the uploaded PHP code to gain remote code execution

This module supports multiple targets:

  • PHP In-Memory (php/meterpreter/reverse_tcp)
  • Unix/Linux Command Shell (cmd/linux/http/x64/meterpreter/reverse_tcp)
  • Windows Command Shell (cmd/windows/http/x64/meterpreter/reverse_tcp)

The module includes:

  • Automatic vulnerability detection via the check() method
  • Support for both PHP and command payloads
  • Complete documentation with real-world examples
  • Automatic file cleanup using FileDropper mixin

The module has been tested against Magento 2.4.4 and passes all code quality checks (msftidy, rubocop, msftidy_docs).

Thanks

@Chocapikk Chocapikk closed this Nov 24, 2025
@Chocapikk Chocapikk deleted the magento branch November 24, 2025 20:06
@Chocapikk Chocapikk restored the magento branch November 24, 2025 20:07
@Chocapikk Chocapikk reopened this Nov 24, 2025
@dledda-r7
Copy link
Contributor

dledda-r7 commented Nov 25, 2025

@Chocapikk Welcome back 🔥

jvoisin
jvoisin reviewed Nov 25, 2025
View reviewed changes
@jheysel-r7 jheysel-r7 self-assigned this Dec 5, 2025
@jheysel-r7 jheysel-r7 added module docs rn-fix release notes fix rn-modules release notes for new or majorly enhanced modules labels Dec 5, 2025
@jheysel-r7 jheysel-r7 removed the rn-fix release notes fix label Dec 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jvoisin jvoisin jvoisin left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@jheysel-r7 jheysel-r7

Labels

docs module rn-modules release notes for new or majorly enhanced modules

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Chocapikk @dledda-r7 @jvoisin @jheysel-r7