- CVE-2025-54236 is actively exploited to hijack accounts by way of Magento’s REST API
- Over 250 assaults in 24 hours; most shops stay unpatched six weeks after repair
- Attackers add PHP backdoors utilizing pretend periods; Sansec urges speedy patching and scans
A critical-severity vulnerability lately present in Adobe Commerce and Magento Open Source platforms is being actively exploited within the wild to assault e-commerce websites and take over accounts, consultants have warned.
Researchers at Sansec mentioned in lower than 24 hours, they noticed greater than 250 assaults leveraging CVE-2025-54236, a critical-severity flaw (9.1/10) described as an “improper input validation” vulnerability.
It is being abused to take over buyer accounts via the Commerce REST API.
Patches, WAF, and extra
The assaults are dubbed “SessionReaper”, and though Adobe has launched a repair for the bug, Sansec says the vast majority of Magento shops (nearly two-thirds, 62%), are nonetheless weak – six weeks after the patch was launched.
Sansec recognized 5 completely different IP addresses from which the assaults originate, suggesting both a number of menace actors, or a single actor utilizing VPNs, proxy servers, or compromised machines to cover their actual location (which is a extra widespread incidence).
In the assaults, they droop PHP webshells or probe phpinfo in an try to extract PHP configuration information. “PHP backdoors are uploaded by way of ‘/buyer/address_file/add’ as a pretend session,” Sansec mentioned.
Given that the flaw is being actively used within the wild, and {that a} patch has been accessible for weeks already, Sansec urged all customers to safe their property instantly.
That contains testing and deploying the patch as quickly as potential, activating Web Application Firewall (WAF) safety (for people who can’t deploy the patch presently), and scanning for compromise.
“If you delayed patching, run a malware scanner like eComscan to check for signs of compromise,” Sansec defined.
TheHackerNews notes that is the second deserialization vulnerability present in Adobe Commerce and Magento platforms within the final two years. In July 2024, the corporate patched a 9.8/10 flaw nicknamed CosmicSting, which was additionally abused within the wild.
