A new wave of cyberattacks is targeting online stores using Adobe Commerce, exploiting a critical vulnerability dubbed 'SessionReaper' (CVE-2025-54236). The flaw, which allows attackers to take over customer sessions without any user interaction, is now being actively exploited in the wild, weeks after Adobe released an emergency patch. Security firm Sansec reported blocking over 250 exploit attempts in a single day. The vulnerability is considered particularly severe because it can be triggered more easily on stores using the default file-system session storage. The public availability of technical details and a leaked hotfix has likely aided attackers in weaponizing the exploit, enabling potential remote code execution. This situation poses a significant risk to Adobe Commerce customers, as attackers have been observed installing webshells to maintain persistent access to compromised stores.