Magento Stores Targeted in Attack Exploiting Critical Adobe Flaw

CVE-2025-54236 Magento security Adobe Commerce vulnerability SessionReaper e-commerce security account takeover
Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
October 24, 2025 3 min read

TL;DR

Magento and Adobe Commerce stores are actively targeted by CVE-2025-54236, a critical improper input validation vulnerability. Attackers are exploiting this flaw to take over customer accounts by dropping webshells and gathering PHP configuration data. Adobe has released a patch, and immediate application is recommended for all affected versions to prevent further compromise.

Magento Stores Under Attack Due to Adobe Commerce Flaw CVE-2025-54236

E-commerce security firm Sansec has reported active exploitation of a recently disclosed security vulnerability, CVE-2025-54236, in Adobe Commerce and Magento Open Source platforms. Over 250 attack attempts have been recorded in the past 24 hours.

Vulnerability Details

CVE-2025-54236, also known as SessionReaper, is a critical improper input validation flaw (CVSS score: 9.1) that could allow attackers to take over customer accounts via the Commerce REST API. The vulnerability affects Adobe Commerce and Magento Open Source versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier, as well as Adobe Commerce B2B versions 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. Adobe addressed this vulnerability last month. Security researcher Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236.

Exploitation and Impact

Attackers are leveraging the CVE-2025-54236 flaw to drop PHP webshells or probe phpinfo to extract PHP configuration information. According to Sansec, PHP backdoors are being uploaded via '/customer/address\_file/upload' as a fake session. The attacks have originated from the following IP addresses:

  • 34.227.25\[.\]4
  • 44.212.43\[.\]34
  • 54.205.171\[.\]35
  • 155.117.84\[.\]134
  • 159.89.12\[.\]166

Searchlight Cyber published a detailed technical analysis of CVE-2025-54236, describing it as a nested deserialization flaw that enables remote code execution.

Remediation

Adobe has released a security update for Adobe Commerce and Magento Open Source. Adobe recommends users update their installation to the newest version. Sansec advises site administrators to deploy the patch or upgrade to the latest Adobe Commerce / Magento Open Source security release immediately, and to scan for signs of compromise. As of Wednesday, only 38% of online Magento stores have been patched. Hotfixes for CVE-2025-54236 are compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 - 2.4.7. Release notes for the hotfix are available on Adobe Experience League.

Technical Analysis of CVE-2025-54236

According to Searchlight Cyber, CVE-2025-54236 is a nested deserialization vulnerability. In instances that use file-based session storage, remote code execution can be easily achieved by an unauthenticated user. Instances that do not use file-based session storage (such as Redis-backed instances) may also be vulnerable. The patch focuses on changing the way the type deserialization works for input received on the API endpoints. In the patch, Adobe has limited the types that can be instantiated in constructors to only “simple” types (strings, ints, floats, doubles, and booleans) and types matching a specific pattern for their names, such as MagentoTaxApiDataTaxRateInterface.

Unauthenticated File Upload

An unauthenticated endpoint exists at /customer/address_file/upload that handles user file uploads from the custom_attributes field. The uploaded file cannot have a protected extension (e.g., .php, .html, .xml), but all other files, including those without extensions, are allowed. The file name is not modified, except in the case that the file already exists, where it will append _1/_2/_3/etc to the uploaded file name. The necessary form_key can be any value, as long as it’s the same in the cookie and form parameters.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related News

WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups
WinRAR vulnerability

WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups

CISA flags WinRAR CVE-2025-6218 as actively exploited. Learn about this path traversal flaw and how to protect your systems. Update now!

By Jim Gagnard December 11, 2025 3 min read
Read full article
Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers
malicious VSCode extensions

Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers

Beware of malicious VSCode extensions & device code phishing scams. Learn how these attacks steal credentials, capture screens, and hijack sessions. Protect yourself now!

By Alan V Gutnov December 10, 2025 6 min read
Read full article
PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure
BRICKSTORM malware

PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

Discover how PRC state actors are using BRICKSTORM malware to gain persistent access via VMware. Learn about its advanced evasion techniques and how to defend your systems. Read now!

By Divyansh Ingle December 9, 2025 3 min read
Read full article
Google Patches 107 Android Vulnerabilities, Including Zero-Days
Android security

Google Patches 107 Android Vulnerabilities, Including Zero-Days

Google's December update fixes 107 Android vulnerabilities, including two zero-days. Ensure your device is protected! Check your security update level now.

By Divyansh Ingle December 8, 2025 3 min read
Read full article