- CVE-2025-54236 is actively exploited to hijack accounts via Magento’s REST API
- Over 250 attacks in 24 hours; most stores remain unpatched six weeks after patching
- Attackers upload PHP backdoors using fake sessions; Sansec encourages immediate patching and scans
A critical severity vulnerability recently found in Adobe Commerce and Magento Open Source platforms is being actively exploited in the wild to attack e-commerce websites and take over accounts, experts have warned.
Researchers at Sansec said in less than 24 hours they observed more than 250 attacks exploiting CVE-2025-54236, a Critical Severity (9.1/10) bug described as an “improper input validation” vulnerability.
It is being misused to take over customer accounts through the Commerce REST API.
Patches, WAF and more
The attacks are called “SessionReaper”, and although Adobe has released a fix for the bug, Sansec says the majority of Magento stores (almost two-thirds, 62%) are still vulnerable – six weeks after the patch was released.
Sansec identified five different IP addresses from which the attacks originated, suggesting either multiple threat actors or a single actor using VPNs, proxy servers, or compromised machines to hide their real location (which is a more common occurrence).
In the attacks, they drop PHP webshells or examine phpinfo in an attempt to extract PHP configuration data. “PHP backdoors are uploaded via ‘/customer/address_file/upload’ as a fake session,” Sansec said.
Since the bug is being actively used in the wild and a patch has already been available for weeks, Sansec urged all users to secure their assets immediately.
That includes testing and deploying the patch as soon as possible, enabling Web Application Firewall (WAF) protection (for those unable to deploy the patch at this time), and scanning for compromise.
“If you delayed patching, run a malware scanner like eComscan to check for signs of compromise,” Sansec explained.
TheHackerNews notes that this is the second deserialization vulnerability found in the Adobe Commerce and Magento platforms in the last two years. In July 2024, the company patched a 9.8/10 bug nicknamed CosmicSting, which was also being abused in the wild.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
The best antivirus for all budgets
