Magento Stores Targeted in Attack Exploiting Critical Adobe Flaw

CVE-2025-54236 Magento security Adobe Commerce vulnerability SessionReaper e-commerce security account takeover
Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
October 24, 2025 3 min read

TL;DR

  • Magento and Adobe Commerce stores are actively targeted by CVE-2025-54236, a critical improper input validation vulnerability. Attackers are exploiting this flaw to take over customer accounts by dropping webshells and gathering PHP configuration data. Adobe has released a patch, and immediate application is recommended for all affected versions to prevent further compromise.

Magento Stores Under Attack Due to Adobe Commerce Flaw CVE-2025-54236

E-commerce security firm Sansec has reported active exploitation of a recently disclosed security vulnerability, CVE-2025-54236, in Adobe Commerce and Magento Open Source platforms. Over 250 attack attempts have been recorded in the past 24 hours.

Vulnerability Details

CVE-2025-54236, also known as SessionReaper, is a critical improper input validation flaw (CVSS score: 9.1) that could allow attackers to take over customer accounts via the Commerce REST API. The vulnerability affects Adobe Commerce and Magento Open Source versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier, as well as Adobe Commerce B2B versions 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. Adobe addressed this vulnerability last month. Security researcher Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236.

Exploitation and Impact

Attackers are leveraging the CVE-2025-54236 flaw to drop PHP webshells or probe phpinfo to extract PHP configuration information. According to Sansec, PHP backdoors are being uploaded via '/customer/address\_file/upload' as a fake session. The attacks have originated from the following IP addresses:

  • 34.227.25\[.\]4
  • 44.212.43\[.\]34
  • 54.205.171\[.\]35
  • 155.117.84\[.\]134
  • 159.89.12\[.\]166

Searchlight Cyber published a detailed technical analysis of CVE-2025-54236, describing it as a nested deserialization flaw that enables remote code execution.

Remediation

Adobe has released a security update for Adobe Commerce and Magento Open Source. Adobe recommends users update their installation to the newest version. Sansec advises site administrators to deploy the patch or upgrade to the latest Adobe Commerce / Magento Open Source security release immediately, and to scan for signs of compromise. As of Wednesday, only 38% of online Magento stores have been patched. Hotfixes for CVE-2025-54236 are compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 - 2.4.7. Release notes for the hotfix are available on Adobe Experience League.

Technical Analysis of CVE-2025-54236

According to Searchlight Cyber, CVE-2025-54236 is a nested deserialization vulnerability. In instances that use file-based session storage, remote code execution can be easily achieved by an unauthenticated user. Instances that do not use file-based session storage (such as Redis-backed instances) may also be vulnerable. The patch focuses on changing the way the type deserialization works for input received on the API endpoints. In the patch, Adobe has limited the types that can be instantiated in constructors to only “simple” types (strings, ints, floats, doubles, and booleans) and types matching a specific pattern for their names, such as MagentoTaxApiDataTaxRateInterface.

Unauthenticated File Upload

An unauthenticated endpoint exists at /customer/address_file/upload that handles user file uploads from the custom_attributes field. The uploaded file cannot have a protected extension (e.g., .php, .html, .xml), but all other files, including those without extensions, are allowed. The file name is not modified, except in the case that the file already exists, where it will append _1/_2/_3/etc to the uploaded file name. The necessary form_key can be any value, as long as it’s the same in the cookie and form parameters.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related News

Google Dismantles IPIDEA, Major Proxy Network for 550+ Threats
Ipidea proxy network

Google Dismantles IPIDEA, Major Proxy Network for 550+ Threats

Google has disrupted Ipidea, a massive residential proxy network used by cybercriminals. Learn how this action impacts online security and what it means for threat actors. Read now!

By Brandon Woo February 27, 2026 4 min read
common.read_full_article
Pentagon Leaders Anticipate Cybercom 2.0 to Counter Chinese Threats
Cybercom 2.0

Pentagon Leaders Anticipate Cybercom 2.0 to Counter Chinese Threats

The Pentagon is overhauling its cyber defenses with Cybercom 2.0. Discover how specialization, AI, and innovation are reshaping the fight against threats like China's Volt Typhoon. Learn more!

By Jim Gagnard February 26, 2026 3 min read
common.read_full_article
FBI Seizes RAMP Ransomware Forum Linked to Cybercrime Operations
RAMP ransomware forum

FBI Seizes RAMP Ransomware Forum Linked to Cybercrime Operations

The FBI has successfully seized RAMP, a major dark web forum used by ransomware gangs. Discover the impact of this takedown on cybercrime operations. Read more!

By Brandon Woo February 23, 2026 3 min read
common.read_full_article
New Britain Ransomware Attack Disrupts City Services, FBI Involved
New Britain cyberattack

New Britain Ransomware Attack Disrupts City Services, FBI Involved

New Britain faces a major ransomware attack disrupting city services. Learn about the ongoing investigation, impact on operations, and essential services. Discover how to enhance your cybersecurity.

By Alan V Gutnov February 20, 2026 3 min read
common.read_full_article