Full Report
E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours. The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), a critical improper input validation flaw that could be
Analysis Summary
# Vulnerability: Unpatched Adobe Commerce/Magento Flaw Leading to Account Takeover and RCE
## CVE Details
- CVE ID: CVE-2025-54236
- CVSS Score: 9.1 (Critical)
- CWE: Improper Input Validation (Implied) / Deserialization of Untrusted Data
## Affected Systems
- Products: Adobe Commerce and Magento Open Source
- Versions: All versions not yet patched by Adobe (Note: The article strongly implies that fixes were released last month, and the vulnerability has been public for six weeks, but specific versions are not listed.)
- Configurations: Exploitation occurs via the Commerce REST API.
## Vulnerability Description
The vulnerability, dubbed "SessionReaper," is a critical flaw related to improper input validation, specifically described as a **nested deserialization flaw**. This flaw allows a remote, likely unauthenticated, attacker to potentially achieve **Remote Code Execution (RCE)** or **take over customer accounts** by abusing the Commerce REST API. Attackers are leveraging this flaw to upload PHP webshells.
## Exploitation
- Status: **Exploited in the wild**. Over 250 attack attempts recorded against multiple stores in the past 24 hours.
- Complexity: Implied **Low/Medium** due to active exploitation attempts and the disclosure of PoC exploits.
- Attack Vector: **Network** (via Commerce REST API).
## Impact
- Confidentiality: High (Potential for data extraction via webshells or configuration probing)
- Integrity: High (Ability to upload webshells leading to system compromise)
- Availability: Medium (Service disruption possible due to full compromise)
## Remediation
### Patches
- Adobe released patches last month (relative to the article date). Administrators are strongly urged to apply these fixes immediately. (Specific patch versions are not detailed in the source text.)
### Workarounds
- Monitor and block traffic from known malicious IP addresses:
* 34.227.25[.]4
* 44.212.43[.]34
* 54.205.171[.]35
* 155.117.84[.]134
* 159.89.12[.]166
## Detection
- **Indicators of Compromise (IOCs):** Look for anomalous file uploads via the `/customer/address_file/upload` endpoint, specifically attempts to upload malicious PHP content masquerading as a session file. Also monitor for attempts to run `phpinfo` commands.
- **Detection methods and tools:** Security monitoring focused on API traffic to the Commerce REST API for unusual requests targeting file upload functionality.
## References
- Sansec Advisory: hxxps://sansec.io/research/sessionreaper-exploitation
- Researcher Credit: hxxps://x.com/Blaklis_/status/1965411396914450434
- Technical Analysis: hxxps://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/