Magento Stores Targeted in Attack Exploiting Critical Adobe Flaw

CVE-2025-54236 Magento security Adobe Commerce vulnerability SessionReaper e-commerce security account takeover
Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
October 24, 2025 3 min read

TL;DR

Magento and Adobe Commerce stores are actively targeted by CVE-2025-54236, a critical improper input validation vulnerability. Attackers are exploiting this flaw to take over customer accounts by dropping webshells and gathering PHP configuration data. Adobe has released a patch, and immediate application is recommended for all affected versions to prevent further compromise.

Magento Stores Under Attack Due to Adobe Commerce Flaw CVE-2025-54236

E-commerce security firm Sansec has reported active exploitation of a recently disclosed security vulnerability, CVE-2025-54236, in Adobe Commerce and Magento Open Source platforms. Over 250 attack attempts have been recorded in the past 24 hours.

Vulnerability Details

CVE-2025-54236, also known as SessionReaper, is a critical improper input validation flaw (CVSS score: 9.1) that could allow attackers to take over customer accounts via the Commerce REST API. The vulnerability affects Adobe Commerce and Magento Open Source versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier, as well as Adobe Commerce B2B versions 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. Adobe addressed this vulnerability last month. Security researcher Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236.

Exploitation and Impact

Attackers are leveraging the CVE-2025-54236 flaw to drop PHP webshells or probe phpinfo to extract PHP configuration information. According to Sansec, PHP backdoors are being uploaded via '/customer/address\_file/upload' as a fake session. The attacks have originated from the following IP addresses:

  • 34.227.25\[.\]4
  • 44.212.43\[.\]34
  • 54.205.171\[.\]35
  • 155.117.84\[.\]134
  • 159.89.12\[.\]166

Searchlight Cyber published a detailed technical analysis of CVE-2025-54236, describing it as a nested deserialization flaw that enables remote code execution.

Remediation

Adobe has released a security update for Adobe Commerce and Magento Open Source. Adobe recommends users update their installation to the newest version. Sansec advises site administrators to deploy the patch or upgrade to the latest Adobe Commerce / Magento Open Source security release immediately, and to scan for signs of compromise. As of Wednesday, only 38% of online Magento stores have been patched. Hotfixes for CVE-2025-54236 are compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 - 2.4.7. Release notes for the hotfix are available on Adobe Experience League.

Technical Analysis of CVE-2025-54236

According to Searchlight Cyber, CVE-2025-54236 is a nested deserialization vulnerability. In instances that use file-based session storage, remote code execution can be easily achieved by an unauthenticated user. Instances that do not use file-based session storage (such as Redis-backed instances) may also be vulnerable. The patch focuses on changing the way the type deserialization works for input received on the API endpoints. In the patch, Adobe has limited the types that can be instantiated in constructors to only “simple” types (strings, ints, floats, doubles, and booleans) and types matching a specific pattern for their names, such as MagentoTaxApiDataTaxRateInterface.

Unauthenticated File Upload

An unauthenticated endpoint exists at /customer/address_file/upload that handles user file uploads from the custom_attributes field. The uploaded file cannot have a protected extension (e.g., .php, .html, .xml), but all other files, including those without extensions, are allowed. The file name is not modified, except in the case that the file already exists, where it will append _1/_2/_3/etc to the uploaded file name. The necessary form_key can be any value, as long as it’s the same in the cookie and form parameters.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

CVE-2025-10585

New Zero-Day CVE-2025-10585 Exploit in Chrome's V8 Engine

Actively exploited Chrome V8 zero-day, CVE-2025-10585, allows code execution. Update your browser immediately to protect against malicious websites. Learn more and secure your system now!

By Edward Zhou October 23, 2025 3 min read
Read full article
AWS outage

Amazon AWS Outage Reveals Tech Vulnerabilities and Provider Risks

Thousands of apps and websites went down due to an AWS outage. Discover the impact, affected services, and expert insights on cloud dependency. Read more!

By Alan V Gutnov October 22, 2025 2 min read
Read full article
Operation SIMCARTEL

Europol Dismantles SIM Farm Network Behind 49 Million Fake Accounts

Europol's Operation SIMCARTEL disrupted a massive SIM farm network used for phishing & fraud. Learn about the arrests, seizures, and impact on cybercrime. Read more!

By Edward Zhou October 21, 2025 2 min read
Read full article
China cyberattack

China Accuses US of Cyberattacks on National Time Center

China alleges NSA cyberattacks on its National Time Service Center, stealing data and targeting critical timing systems. Learn more about the accusations. Read now!

By Alan V Gutnov October 20, 2025 2 min read
Read full article