Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Breach and Cyber Attack.

Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with sansec (research and advisory), and containment measures with waf rule deployed for adobe commerce on cloud customers, containment measures with emergency patch release, and remediation measures with patch deployment (disables internal magento functionality), remediation measures with updated rest api documentation, and communication strategy with direct notifications to selected customers (2025-09-04), communication strategy with public security bulletin, communication strategy with urgent patching advisory, and adaptive behavioral waf with deployed for adobe commerce on cloud as interim mitigation, and incident response plan activated with sansec shield detection/blocking, and third party assistance with sansec (detection/analysis), third party assistance with searchlight cyber (technical analysis), and containment measures with blocking exploitation attempts (sansec shield), containment measures with patching vulnerability (recommended), and remediation measures with apply adobe security update, remediation measures with mitigations per adobe advisory, and communication strategy with public advisory by adobe (2025-09-08), communication strategy with sansec bulletin, communication strategy with searchlight cyber technical analysis, and enhanced monitoring with sansec shield (ongoing detection), and and third party assistance with sansec, third party assistance with assetnote/searchlight cyber, and containment measures with blocking exploit attempts (250+ blocked), containment measures with ip blacklisting, and remediation measures with apply adobe hotfix (released 2025-09-09), remediation measures with upgrade to latest secure version, remediation measures with scan for signs of compromise, and communication strategy with public advisory by sansec, communication strategy with technical deep-dive by assetnote, communication strategy with urgent patching recommendations, and enhanced monitoring with monitor for exploitation attempts, enhanced monitoring with scan for webshells/phpinfo probes, and third party assistance with sansec (warning & analysis), third party assistance with searchlight cyber (technical analysis), and containment measures with urgent patch application recommended, and remediation measures with apply adobe security updates, remediation measures with monitor for php webshells, remediation measures with restrict access to '/customer/address_file/upload', and communication strategy with public advisory by sansec, communication strategy with revised adobe security bulletin, and enhanced monitoring with monitor for attacks from known malicious ips, and third party assistance with cyble research and intelligence labs (cril), and containment measures with block html attachments at email gateway, containment measures with restrict access to telegram api, containment measures with retroactive review of user activity for compromise signs, and remediation measures with user training on evolving phishing tactics, remediation measures with enhanced email vetting procedures, remediation measures with integration of threat intelligence feeds, and communication strategy with public advisory via cyble reports, communication strategy with media outreach (google news, linkedin, x), and enhanced monitoring with monitor for unusual login attempts, enhanced monitoring with track telegram api traffic..

Common Attack Types: The most common types of attacks the company has faced is Vulnerability.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Exploiting CVE-2025-54236 via REST API, Commerce REST API (CVE-2025-54236)PHP File Upload ('/customer/address_file/upload') and Phishing Emails with HTML Attachments.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Customer Names, Payment Card Expiration Dates, Encrypted Payment Card Numbers, , Session Data (Potential), Customer Account Access (If Exploited), , Potential: Customer Account Credentials, Session Data, Sensitive Information (If Rce Achieved), , Customer Account Credentials (Potential), , Credentials (Email/Password Combinations), Device Metadata (Ip Address, User-Agent) and .

Incident Response Plan: The company's incident response plan is described as Sansec Shield Detection/Blocking, , .

Third-Party Assistance: The company involves third-party assistance in incident response through Sansec (research and advisory), , Sansec (Detection/Analysis), Searchlight Cyber (Technical Analysis), , Sansec, Assetnote/Searchlight Cyber, , Sansec (Warning & Analysis), Searchlight Cyber (Technical Analysis), , Cyble Research and Intelligence Labs (CRIL), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patch deployment (disables internal Magento functionality), Updated REST API documentation, , Apply Adobe Security Update, Mitigations per Adobe Advisory, , Apply Adobe Hotfix (released 2025-09-09), Upgrade to Latest Secure Version, Scan for Signs of Compromise, , Apply Adobe Security Updates, Monitor for PHP Webshells, Restrict Access to '/customer/address_file/upload', , User Training on Evolving Phishing Tactics, Enhanced Email Vetting Procedures, Integration of Threat Intelligence Feeds, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by waf rule deployed for adobe commerce on cloud customers, emergency patch release, , blocking exploitation attempts (sansec shield), patching vulnerability (recommended), , blocking exploit attempts (250+ blocked), ip blacklisting, , urgent patch application recommended, , block html attachments at email gateway, restrict access to telegram api, retroactive review of user activity for compromise signs and .

Key Lessons Learned: The key lessons learned from past incidents are Critical vulnerabilities in widely used e-commerce platforms can have severe, automated exploitation risks.,Proactive patching and interim mitigations (e.g., WAF rules) are essential for high-severity flaws.,Leaked hotfixes can accelerate threat actor exploit development, emphasizing the need for rapid response.,Default configurations (e.g., file-system session storage) can amplify vulnerability impact.Critical vulnerabilities in widely used e-commerce platforms can lead to rapid, large-scale exploitation if left unpatched.,Default configurations (e.g., file-system session storage) can exacerbate risk.,Slow patch adoption (62% unpatched after 6 weeks) highlights the need for automated update mechanisms or stricter enforcement.Critical vulnerabilities in widely-used e-commerce platforms are prime targets for mass exploitation.,Delayed patching significantly increases risk (only 38% patched at time of attacks).,Public disclosure of exploit details accelerates attacker activity (mass exploitation expected within 48 hours).,File-based session storage introduces higher risk of RCE in this vulnerability.Delayed patching increases exploitation risk, as seen with 62% of Magento stores remaining vulnerable six weeks post-disclosure.,Deserialization flaws in e-commerce platforms are high-value targets for threat actors, requiring prioritized remediation.,Public PoC exploits accelerate attack timelines, necessitating proactive monitoring and defense-in-depth strategies.HTML attachments can bypass traditional security controls (e.g., URL filtering).,Telegram Bot API abuse complicates detection by decentralizing C2 infrastructure.,Brand impersonation with regional/localized templates increases campaign effectiveness.,Anti-forensics (e.g., blocking keyboard shortcuts, sandbox evasion) raises analysis difficulty.,Modular toolkits enable rapid adaptation to new brands/languages.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: California Office of the Attorney General, and Source: Sansec Advisory on SessionReaper, and Source: Adobe Security Bulletin for CVE-2025-54236, and Source: Adobe Commerce REST API Documentation Updates, and Source: Adobe Security Bulletin (CVE-2025-54236)Date Accessed: 2025-09-08, and Source: Sansec Bulletin on SessionReaper ExploitationDate Accessed: 2025-10-20 (approx., 6 weeks post-patch), and Source: Searchlight Cyber Technical AnalysisDate Accessed: 2025-10-20 (approx.), and Source: Sansec Research AdvisoryDate Accessed: 2025-09-11, and Source: Assetnote/Searchlight Cyber Technical Deep-Dive by Tomais WilliamsonDate Accessed: 2025-09-11, and Source: Adobe Security Bulletin for CVE-2025-54236Date Accessed: 2025-09-09, and Source: Sansec Advisory on CVE-2025-54236 Exploitation, and Source: Adobe Security Bulletin for CVE-2025-54236, and Source: Searchlight Cyber Technical Analysis of CVE-2025-54236, and Source: Cyble Research and Intelligence Labs (CRIL).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Direct Notifications To Selected Customers (2025-09-04), Public Security Bulletin, Urgent Patching Advisory, Public Advisory By Adobe (2025-09-08), Sansec Bulletin, Searchlight Cyber Technical Analysis, Public Advisory By Sansec, Technical Deep-Dive By Assetnote, Urgent Patching Recommendations, Public Advisory By Sansec, Revised Adobe Security Bulletin, Public Advisory Via Cyble Reports, Media Outreach (Google News, Linkedin and X).

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Adobe Notified Selected Commerce Customers On 2025-09-04 About The Upcoming Patch., Public Advisory Issued With Patch Release On 2025-09-09., Urgent Recommendation To Apply The Patch Immediately., Warning About Potential Custom Code Breakage Due To Disabled Internal Functionality., Guidance To Test The Patch In Non-Production Environments First., , Adobe Commerce Administrators: Urgent Patching Required., E-Commerce Security Teams: Monitor For Indicators Of Compromise (Iocs) Tied To The 5 Attacker Ips., Customers: Watch For Unauthorized Account Activity., Users Of Adobe Commerce/Magento Stores Should:, - Change Passwords If Suspicious Activity Is Detected., - Enable Multi-Factor Authentication (Mfa) Where Available., - Monitor Transaction Histories For Fraud., , Urgent Patching Recommended For All Adobe Commerce/Magento Open Source Users, Monitor Accounts For Unauthorized Activity, Report Suspicious Login Attempts, , Adobe Security Bulletin Update, Sansec Public Warning, Urgent Patch Notification For Magento/Adobe Commerce Users, , Security Teams: Update Email Filtering Rules And Monitor Telegram Api Traffic., Executives: Allocate Resources For User Training And Threat Intelligence Integration., Verify Login Prompts Carefully, Especially In Emails With Attachments., Report Suspicious Emails To It/Security Teams Immediately., Enable Mfa On All Accounts To Reduce Credential Theft Impact. and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Sansec (Research And Advisory), , Sansec (Detection/Analysis), Searchlight Cyber (Technical Analysis), , Sansec Shield (Ongoing Detection), , Sansec, Assetnote/Searchlight Cyber, , Monitor For Exploitation Attempts, Scan For Webshells/Phpinfo Probes, , Sansec (Warning & Analysis), Searchlight Cyber (Technical Analysis), , Monitor For Attacks From Known Malicious Ips, , Cyble Research And Intelligence Labs (Cril), , Monitor For Unusual Login Attempts, Track Telegram Api Traffic, .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Patch Deployment To Disable Vulnerable Internal Functionality., Waf Rule Deployment For Cloud Customers As Interim Mitigation., Documentation Updates For Secure Rest Api Usage., , Adobe: Release Emergency Patch And Public Advisory., Sansec: Deploy Detection Rules And Block Exploitation Attempts., Store Administrators: Apply Patches, Reconfigure Session Storage, And Monitor For Iocs., , Apply Security Patches Promptly Upon Release., Review And Harden Session Storage Mechanisms., Implement Network-Level Protections (E.G., Waf Rules) For Critical Vulnerabilities., Enhance Monitoring For Exploitation Attempts Post-Disclosure., , Mandatory Patch Enforcement For Critical Vulnerabilities In Adobe Commerce/Magento., Enhanced Api Security Controls (E.G., Input Validation, Rate Limiting)., Automated Vulnerability Management For E-Commerce Platforms With Slas For Patching., Threat Intelligence Sharing To Preempt Exploitation Of Newly Disclosed Flaws., , Deploy Advanced Email Security Solutions Capable Of Html Attachment Analysis., Implement Behavioral Analytics To Detect Credential Stuffing Attempts Post-Breach., Establish A Cross-Functional Incident Response Team For Phishing-Specific Threats., Develop A Playbook For Telegram Bot Api Abuse Incidents., .

Last Attacking Group: The attacking group in the last incident was an Unknown.

Most Recent Incident Detected: The most recent incident detected was on 2013-09-17.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-09-11.

Most Recent Incident Resolved: The most recent incident resolved was on 2025-09-09.

Most Significant Data Compromised: The most significant data compromised in an incident were Customer names, Payment card expiration dates, Encrypted payment card numbers, , Potential Customer Account Data (if exploited), , Potential Customer Account Data (Session Hijacking), , Potential Customer Account Takeover, Potential Sensitive Data Exposure (if RCE achieved), , Customer Account Data (Potential), , User Credentials (Email/Password), IP Addresses, User-Agent Data and .

Most Significant System Affected: The most significant system affected in an incident were Adobe CommerceMagento Open Source (default file-system session storage configurations) and Adobe Commerce (Magento) Platforms (Versions: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier) and Adobe CommerceMagento Open Source and Adobe Commerce PlatformsMagento Open Source Platforms.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was sansec (research and advisory), , sansec (detection/analysis), searchlight cyber (technical analysis), , sansec, assetnote/searchlight cyber, , sansec (warning & analysis), searchlight cyber (technical analysis), , cyble research and intelligence labs (cril), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were WAF rule deployed for Adobe Commerce on Cloud customersEmergency patch release, Blocking Exploitation Attempts (Sansec Shield)Patching Vulnerability (Recommended), Blocking Exploit Attempts (250+ blocked)IP Blacklisting, Urgent Patch Application Recommended and Block HTML Attachments at Email GatewayRestrict Access to Telegram APIRetroactive Review of User Activity for Compromise Signs.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Potential Customer Account Data (Session Hijacking), Potential Customer Account Data (if exploited), Customer Account Data (Potential), Payment card expiration dates, Encrypted payment card numbers, Potential Customer Account Takeover, User Credentials (Email/Password), IP Addresses, User-Agent Data, Potential Sensitive Data Exposure (if RCE achieved) and Customer names.

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Modular toolkits enable rapid adaptation to new brands/languages.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Follow Adobe’s updated REST API documentation for secure implementation practices., Audit session storage configurations; avoid file-system storage if possible., Educate developers on secure coding practices to mitigate improper input validation and deserialization risks., Monitor network traffic for connections to/from the identified malicious IP addresses (34.227.25[.]4, 44.212.43[.]34, 54.205.171[.]35, 155.117.84[.]134, 159.89.12[.]166)., Educate customers on phishing risks, as compromised accounts may be used for further attacks., Block HTML attachments at email gateways or quarantine for inspection., Monitor for unusual REST API activity or PHP webshell artifacts., Consider deploying WAF rules or behavioral protection for on-premise installations., Immediately apply the Adobe-provided patch for CVE-2025-54236., Conduct regular vulnerability scans and penetration testing for e-commerce platforms, prioritizing deserialization and input validation flaws., Deploy WAF rules or intrusion detection (e.g., Sansec Shield) to block exploitation attempts., Educate customers on recognizing unauthorized account access., Deploy advanced threat detection for API-based exfiltration (e.g., Telegram Bot traffic)., Implement Web Application Firewalls (WAFs) with rules to detect and block exploitation attempts targeting REST APIs., Conduct retroactive reviews of user activity for signs of compromise (e.g., unusual logins)., Monitor dark web/underground forums for leaked credentials tied to impersonated brands., Conduct a thorough review of customer accounts for signs of unauthorized access., Test the patch in staging environments to identify potential disruptions to custom/external code., Implement multi-factor authentication (MFA) to mitigate stolen credential risks., Monitor for unusual REST API activity or session anomalies., Collaborate with threat intelligence providers (e.g., CRIL) for IOCs and campaign updates., Audit PHP upload directories (e.g., '/customer/address_file/upload') for unauthorized webshells or backdoors., Enhance employee training to recognize sophisticated phishing (e.g., blurred backgrounds, fake login prompts)., Block known malicious IPs associated with exploitation attempts (shared by Sansec)., Monitor for indicators of compromise (e.g., PHP webshells, unusual phpinfo requests)., Immediately apply Adobe's security patch for CVE-2025-54236., Immediately apply the Adobe hotfix or upgrade to the latest secure version of Adobe Commerce/Magento Open Source., Audit session storage configurations (prioritize moving away from file-based storage if possible)., Immediately apply Adobe’s security patches for CVE-2025-54236 and CVE-2024-34102., Review and harden session storage configurations (avoid default file-system storage if possible)., Enable WAF rules to detect and block SessionReaper exploitation patterns. and Restrict outbound traffic to Telegram API endpoints where possible..

Most Recent Source: The most recent source of information about an incident are Searchlight Cyber Technical Analysis, Sansec Advisory on SessionReaper, Sansec Bulletin on SessionReaper Exploitation, Sansec Research Advisory, Sansec Advisory on CVE-2025-54236 Exploitation, Adobe Security Bulletin for CVE-2025-54236, Adobe Security Bulletin (CVE-2025-54236), Assetnote/Searchlight Cyber Technical Deep-Dive by Tomais Williamson, Adobe Commerce REST API Documentation Updates, Cyble Research and Intelligence Labs (CRIL), Searchlight Cyber Technical Analysis of CVE-2025-54236 and California Office of the Attorney General.

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (no active exploitation observed as of disclosure).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Adobe notified selected Commerce customers on 2025-09-04 about the upcoming patch., Public advisory issued with patch release on 2025-09-09., Adobe Commerce Administrators: Urgent patching required., E-Commerce Security Teams: Monitor for indicators of compromise (IoCs) tied to the 5 attacker IPs., Customers: Watch for unauthorized account activity., Urgent patching recommended for all Adobe Commerce/Magento Open Source users, Adobe Security Bulletin Update, Sansec Public Warning, Security Teams: Update email filtering rules and monitor Telegram API traffic., Executives: Allocate resources for user training and threat intelligence integration., .

Most Recent Customer Advisory: The most recent customer advisory issued were an Urgent recommendation to apply the patch immediately.Warning about potential custom code breakage due to disabled internal functionality.Guidance to test the patch in non-production environments first., Users of Adobe Commerce/Magento stores should:- Change passwords if suspicious activity is detected.- Enable multi-factor authentication (MFA) where available.- Monitor transaction histories for fraud., Monitor accounts for unauthorized activityReport suspicious login attempts, Urgent Patch Notification for Magento/Adobe Commerce Users, Verify login prompts carefully and especially in emails with attachments.Report suspicious emails to IT/security teams immediately.Enable MFA on all accounts to reduce credential theft impact.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Likely minimal (Opportunistic scans for unpatched systems).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Vulnerability in session handling via Commerce REST API (CVE-2025-54236).Default configuration storing session data on the file system (common across most stores).Potential leak of initial hotfix accelerating exploit development., Improper input validation in Adobe Commerce REST API (CVE-2025-54236).Default insecure session storage configuration (file-system).Delayed patch adoption by store administrators., Improper input validation in session handling (CVE-2025-54236).Delayed patching by majority of users (62% unpatched at time of attacks).File-based session storage increasing severity to RCE in some configurations., Improper input validation in Adobe Commerce REST API (CVE-2025-54236).Delayed patch application by 62% of Magento stores post-disclosure.Lack of sufficient monitoring for deserialization-based attacks in e-commerce platforms., Over-reliance on perimeter defenses (e.g., URL filtering) that fail to inspect HTML attachments.Lack of user awareness about evolving phishing tactics (e.g., fake login modals).Insufficient monitoring of API-based exfiltration channels (e.g., Telegram Bot traffic).Delayed patching of human vulnerabilities (e.g., trust in branded communications)..

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Patch deployment to disable vulnerable internal functionality.WAF rule deployment for cloud customers as interim mitigation.Documentation updates for secure REST API usage., Adobe: Release emergency patch and public advisory.Sansec: Deploy detection rules and block exploitation attempts.Store Administrators: Apply patches, reconfigure session storage, and monitor for IoCs., Apply security patches promptly upon release.Review and harden session storage mechanisms.Implement network-level protections (e.g., WAF rules) for critical vulnerabilities.Enhance monitoring for exploitation attempts post-disclosure., Mandatory patch enforcement for critical vulnerabilities in Adobe Commerce/Magento.Enhanced API security controls (e.g., input validation, rate limiting).Automated vulnerability management for e-commerce platforms with SLAs for patching.Threat intelligence sharing to preempt exploitation of newly disclosed flaws., Deploy advanced email security solutions capable of HTML attachment analysis.Implement behavioral analytics to detect credential stuffing attempts post-breach.Establish a cross-functional incident response team for phishing-specific threats.Develop a playbook for Telegram Bot API abuse incidents..