Magento Stores Targeted in Attack Exploiting Critical Adobe Flaw
TL;DR
- Magento and Adobe Commerce stores are actively targeted by CVE-2025-54236, a critical improper input validation vulnerability. Attackers are exploiting this flaw to take over customer accounts by dropping webshells and gathering PHP configuration data. Adobe has released a patch, and immediate application is recommended for all affected versions to prevent further compromise.
Magento Stores Under Attack Due to Adobe Commerce Flaw CVE-2025-54236
E-commerce security firm Sansec has reported active exploitation of a recently disclosed security vulnerability, CVE-2025-54236, in Adobe Commerce and Magento Open Source platforms. Over 250 attack attempts have been recorded in the past 24 hours.
Vulnerability Details
CVE-2025-54236, also known as SessionReaper, is a critical improper input validation flaw (CVSS score: 9.1) that could allow attackers to take over customer accounts via the Commerce REST API. The vulnerability affects Adobe Commerce and Magento Open Source versions 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier, as well as Adobe Commerce B2B versions 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. Adobe addressed this vulnerability last month. Security researcher Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236.
Exploitation and Impact
Attackers are leveraging the CVE-2025-54236 flaw to drop PHP webshells or probe phpinfo to extract PHP configuration information. According to Sansec, PHP backdoors are being uploaded via '/customer/address\_file/upload' as a fake session. The attacks have originated from the following IP addresses:
- 34.227.25\[.\]4
- 44.212.43\[.\]34
- 54.205.171\[.\]35
- 155.117.84\[.\]134
- 159.89.12\[.\]166
Searchlight Cyber published a detailed technical analysis of CVE-2025-54236, describing it as a nested deserialization flaw that enables remote code execution.
Remediation
Adobe has released a security update for Adobe Commerce and Magento Open Source. Adobe recommends users update their installation to the newest version. Sansec advises site administrators to deploy the patch or upgrade to the latest Adobe Commerce / Magento Open Source security release immediately, and to scan for signs of compromise. As of Wednesday, only 38% of online Magento stores have been patched. Hotfixes for CVE-2025-54236 are compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 - 2.4.7. Release notes for the hotfix are available on Adobe Experience League.
Technical Analysis of CVE-2025-54236
According to Searchlight Cyber, CVE-2025-54236 is a nested deserialization vulnerability. In instances that use file-based session storage, remote code execution can be easily achieved by an unauthenticated user. Instances that do not use file-based session storage (such as Redis-backed instances) may also be vulnerable. The patch focuses on changing the way the type deserialization works for input received on the API endpoints. In the patch, Adobe has limited the types that can be instantiated in constructors to only “simple” types (strings, ints, floats, doubles, and booleans) and types matching a specific pattern for their names, such as MagentoTaxApiDataTaxRateInterface.
Unauthenticated File Upload
An unauthenticated endpoint exists at /customer/address_file/upload that handles user file uploads from the custom_attributes field. The uploaded file cannot have a protected extension (e.g., .php, .html, .xml), but all other files, including those without extensions, are allowed. The file name is not modified, except in the case that the file already exists, where it will append _1/_2/_3/etc to the uploaded file name. The necessary form_key can be any value, as long as it’s the same in the cookie and form parameters.
