Hundreds of Adobe Magento stores hit after critical security flaw found - here's what we know

News
By published

More than 250 attacks observed in just 24 hours

Someone typing at a keyboard, with an ecommerce shopping cart symbol floating in the air.
(Image credit: Song_About_Summer / Shutterstoc)
  • CVE-2025-54236 is actively exploited to hijack accounts via Magento’s REST API
  • Over 250 attacks in 24 hours; most stores remain unpatched six weeks after fix
  • Attackers upload PHP backdoors using fake sessions; Sansec urges immediate patching and scans

A critical-severity vulnerability recently found in Adobe Commerce and Magento Open Source platforms is being actively exploited in the wild to attack e-commerce sites and take over accounts, experts have warned.

Researchers at Sansec said in less than 24 hours, they observed more than 250 attacks leveraging CVE-2025-54236, a critical-severity flaw (9.1/10) described as an “improper input validation” vulnerability.

It is being abused to take over customer accounts through the Commerce REST API.

Patches, WAF, and more

The attacks are dubbed “SessionReaper”, and although Adobe has released a fix for the bug, Sansec says the majority of Magento stores (almost two-thirds, 62%), are still vulnerable - six weeks after the patch was released.

Sansec identified five different IP addresses from which the attacks originate, suggesting either multiple threat actors, or a single actor using VPNs, proxy servers, or compromised machines to hide their real location (which is a more common occurrence).

In the attacks, they droop PHP webshells or probe phpinfo in an attempt to extract PHP configuration data. "PHP backdoors are uploaded via '/customer/address_file/upload' as a fake session," Sansec said.

Given that the flaw is being actively used in the wild, and that a patch has been available for weeks already, Sansec urged all users to secure their assets immediately.

That includes testing and deploying the patch as soon as possible, activating Web Application Firewall (WAF) protection (for those that cannot deploy the patch at this time), and scanning for compromise.

“If you delayed patching, run a malware scanner like eComscan to check for signs of compromise,” Sansec explained.

TheHackerNews notes this is the second deserialization vulnerability found in Adobe Commerce and Magento platforms in the last two years. In July 2024, the company patched a 9.8/10 flaw nicknamed CosmicSting, which was also abused in the wild.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.