E-commerce security firm Sansec has warned that attackers have begun exploiting recently revealed security vulnerabilities in the Adobe Commerce and Magento open source platforms, with more than 250 attack attempts recorded against multiple stores in the past 24 hours.
The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), which has a critical flaw in improper input validation that can be exploited to take over Adobe Commerce customer accounts through the Commerce REST API.
This issue, also known as SessionReaper, was addressed by Adobe last month. A security researcher named Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236.
The Dutch company said 62% of Magento stores remain vulnerable to the security flaw six weeks after its launch, and called on website administrators to patch it as soon as possible before widespread exploit activity becomes active.
The attack originates from the following IP addresses and allows an unknown attacker to exploit this flaw to drop a PHP web shell and inspect phpinfo to extract PHP configuration information.
34.227.25[.]4 44.212.43[.]34 54.205.171[.]35 155.117.84[.]134 159.89.12[.]166
“The PHP backdoor is uploaded via ‘/customer/address_file/upload’ as a fake session,” Sansec said.
This development comes after Searchlight Cyber published a detailed technical analysis of CVE-2025-54236, describing it as a nested deserialization flaw that allows remote code execution.
It is worth noting that CVE-2025-54236 is the second deserialization vulnerability to affect the Adobe Commerce and Magento platforms in recent years. In July 2024, another critical flaw called CosmicSting (CVE-2024-34102, CVSS score: 9.8) was widely exploited.
With the proof-of-concept (PoC) exploit and additional details now in the public domain, it is imperative that users act quickly to apply the fix.
Source link
