A newly discovered critical vulnerability in Adobe Commerce and Magento Open Source platforms has become a target of active exploitation. According to e-commerce security firm Sansec, over 250 Magento stores were attacked within just 24 hours after threat actors began leveraging this flaw.
Details of the Vulnerability
The vulnerability, identified as CVE-2025-54236 with a CVSS score of 9.1, is a severe improper input validation issue. Exploiting this flaw allows attackers to take over customer accounts through the Commerce REST API in Adobe Commerce.
The vulnerability, known as SessionReaper, was patched by Adobe last month. Security researcher Blaklis is credited for discovering and responsibly reporting this issue.
Widespread Risk and Active Exploitation
Sansec revealed that nearly 62% of Magento stores remain unpatched, leaving them exposed to potential compromise. Despite public disclosure six weeks ago, many administrators have yet to apply the security update. Adobe has now confirmed in-the-wild exploitation of CVE-2025-54236 and updated its security advisory accordingly.
Attack Sources and Techniques
The attacks have been traced back to the following IP addresses:
34.227.25[.]4
44.212.43[.]34
54.205.171[.]35
155.117.84[.]134
159.89.12[.]166Sansec noted that unknown threat actors are using the flaw to upload PHP webshells or execute phpinfo probes to collect PHP configuration data.
“PHP backdoors are uploaded via ‘/customer/address_file/upload’ as a fake session,” Sansec stated.
Technical Breakdown
Cybersecurity firm Searchlight Cyber published a detailed analysis explaining that CVE-2025-54236 is a nested deserialization vulnerability. This weakness can enable remote code execution (RCE), giving attackers full control of affected servers.
This marks the second major deserialization flaw impacting Adobe Commerce and Magento within two years. In July 2024, a similar vulnerability, CosmicSting (CVE-2024-34102, CVSS score 9.8), was exploited globally with severe impact on e-commerce operations.
Call to Action
With proof-of-concept (PoC) exploits and technical details now publicly available, experts urge administrators to immediately apply the latest patches. Delayed action could lead to further compromise, data theft, or complete store takeover.
