automatic module_metadata_base.json update

jenkins-metasploit · jenkins-metasploit · commit c8773660fb40 · 2025-12-10T17:05:19.000Z
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -110604,6 +110604,69 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_multi/http/magento_sessionreaper": {
+    "name": "Magento SessionReaper",
+    "fullname": "exploit/multi/http/magento_sessionreaper",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-10-22",
+    "type": "exploit",
+    "author": [
+      "Blaklis",
+      "Tomais Williamson",
+      "Valentin Lobstein <chocapikk@leakix.net>"
+    ],
+    "description": "This module exploits CVE-2025-54236 (SessionReaper), a critical vulnerability in\n          Magento/Adobe Commerce that allows unauthenticated remote code execution.\n\n          The vulnerability stems from improper handling of nested deserialization in the\n          payment method context, combined with an unauthenticated file upload endpoint.\n\n          The exploit chain consists of three steps:\n          1. Upload a malicious PHP session file containing a Guzzle/FW1 deserialization\n          payload via the unauthenticated /customer/address_file/upload endpoint\n          2. Trigger deserialization by sending a crafted JSON payload to the REST API\n          endpoint /rest/default/V1/guest-carts/{cart_id}/order that modifies the\n          session savePath to point to the uploaded file\n          3. Execute the uploaded PHP code to gain remote code execution\n\n          This vulnerability affects Magento 2.x instances configured to use file-based\n          session storage. Patched versions will return a 400 Bad Request response instead\n          of processing the malicious payload.",
+    "references": [
+      "CVE-2025-54236",
+      "URL-https://slcyber.io/research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/",
+      "URL-https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2025-11-26 19:10:55 +0000",
+    "path": "/modules/exploits/multi/http/magento_sessionreaper.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/magento_sessionreaper",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_multi/http/magento_unserialize": {
     "name": "Magento 2.0.6 Unserialize Remote Code Execution",
     "fullname": "exploit/multi/http/magento_unserialize",
