A field analysis of the SessionReaper (CVE-2025-54236) and CosmicSting (CVE-2024-34102) attack wave hitting Adobe Commerce & Magento stores — how unauthenticated attackers chain a file-upload endpoint and a REST order call into RCE, what they drop, why the files keep coming back, and exactly how to lock it out.