- CVE-2025-54236 is actively exploited to hijack accounts via Magento’s REST API
- Over 250 attacks in 24 hours; most stores remain unpatched six weeks after fix
- Attackers upload PHP backdoors using fake sessions; Sansec urges immediate patching and scans
A critical-severity vulnerability recently found in Adobe Commerce and Magento Open Source platforms is being actively exploited in the wild to attack e-commerce sites and take over accounts, experts have warned.
Researchers at Sansec said in less than 24 hours, they observed more than 250 attacks leveraging CVE-2025-54236, a critical-severity flaw (9.1/10) described as an “improper input validation” vulnerability.
It is being abused to take over customer accounts through the Commerce REST API.
Patches, WAF, and more
The attacks are dubbed “SessionReaper”, and although Adobe has released a fix for the bug, Sansec says the majority of Magento stores (almost two-thirds, 62%), are still vulnerable – six weeks after the patch was released.
Sansec identified five different IP addresses from which the attacks originate, suggesting either multiple threat actors, or a single actor using VPNs, proxy servers, or compromised machines to hide their real location (which is a more common occurrence).
In the attacks, they droop PHP webshells or probe phpinfo in an attempt to extract PHP configuration data. “PHP backdoors are uploaded via ‘/customer/address_file/upload’ as a fake session,” Sansec said.
Given that the flaw is being actively used in the wild, and that a patch has been available for weeks already, Sansec urged all users to secure their assets immediately.
That includes testing and deploying the patch as soon as possible, activating Web Application Firewall (WAF) protection (for those that cannot deploy the patch at this time), and scanning for compromise.
“If you delayed patching, run a malware scanner like eComscan to check for signs of compromise,” Sansec explained.
TheHackerNews notes this is the second deserialization vulnerability found in Adobe Commerce and Magento platforms in the last two years. In July 2024, the company patched a 9.8/10 flaw nicknamed CosmicSting, which was also abused in the wild.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
The best antivirus for all budgets
Add Comment