- CVE-2025-54236 is actively used to compromise accounts via the Magento REST API.
- More than 250 attacks in 24 hours; most stores remain unpatched six weeks after fixing
- Attackers load PHP backdoors using fake sessions; Sansec calls for immediate fix and scan
A critical severity vulnerability recently discovered in Adobe Open source Commerce and Magento platforms are actively used for attacks e-commerce websites and take over accounts, experts warn.
Sansec researchers said they observed more than 250 attacks in less than 24 hours using CVE-2025-54236, a critical severity (9.1 out of 10) vulnerability described as an “incorrect input validation” vulnerability.
It is abused to take over customer accounts via the Commerce REST API.
Patches, WAF and much more
The attacks have been dubbed “SessionReaper”, and although Adobe has released a fix for the bug, Sansec says the majority of Magento stores (nearly two-thirds, 62%) are still vulnerable – six weeks after the patch was released.
Sansec has identified five different IP addresses from which the attacks originate, suggesting that either multiple threat actors or a single attacker are using VPNs, proxies or compromised machines to hide their real location (which is more common).
During attacks, they disable PHP web shells or check phpinfo in an attempt to extract PHP configuration data. “PHP backdoors are uploaded via /customer/address_file/upload” as a fake session,” Sansek said.
Given that the vulnerability is actively exploited and the patch has been available for several weeks, Sansec urged all users to immediately protect their assets.
This includes testing and deploying the patch as soon as possible, activating Web Application Firewall (WAF) protection (for those who cannot deploy a patch at the moment) and compromise scanning.
“If you've put off patching, run a malware scanner like eComscan to check for signs of compromise,” Sansek explained.
TheHackerNews notes that this is the second deserialization vulnerability discovered in the Adobe Commerce and Magento platforms in the last two years. In July 2024, the company patched a 9.8/10 vulnerability called CosmicSting, which was also heavily abused.
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
The best antivirus for any budget
