Threat actors are actively exploiting **CVE-2025-54236** (CVSS 9.1), a critical **improper input validation vulnerability** in **Adobe Commerce and Magento Open Source**, enabling **account takeovers via the Commerce REST API**. Over **250 attack attempts** were recorded in 24 hours, with **62% of Magento stores remaining unpatched** six weeks post-disclosure. Exploits involve dropping **PHP webshells** and extracting **PHP configuration data** via fake sessions, risking **full customer account compromise**. The flaw, dubbed **SessionReaper**, follows a similar 2024 deserialization vulnerability (**CosmicSting, CVE-2024-34102**), highlighting a pattern of **high-severity exploits** in Adobe’s e-commerce platforms. Public **proof-of-concept (PoC) exploits** and technical analyses (e.g., by **Searchlight Cyber**) accelerate attack adoption. Adobe confirmed **in-the-wild exploitation**, urging immediate patching to prevent **widespread account hijacking, data theft, or backend system infiltration**—potentially disrupting **payment processes, customer trust, and operational integrity** for affected stores.
Source: https://thehackernews.com/2025/10/over-250-magento-stores-hit-overnight.html
TPRM report: https://www.rankiteo.com/company/adobe-commerce
"id": "ado0092800102325",
"linkid": "adobe-commerce",
"type": "Vulnerability",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Retail/E-commerce',
'location': 'Global',
'name': 'Adobe Commerce Users',
'type': 'E-commerce Platform'},
{'industry': 'Retail/E-commerce',
'location': 'Global',
'name': 'Magento Open Source Users',
'type': 'E-commerce Platform'}],
'attack_vector': ['Improper Input Validation',
'Deserialization Flaw',
'REST API Exploitation',
'PHP Webshell Deployment'],
'customer_advisories': ['Urgent Patch Notification for Magento/Adobe Commerce '
'Users'],
'data_breach': {'data_exfiltration': ['PHP Configuration Information (via '
'phpinfo Probing)'],
'file_types_exposed': ['PHP Webshells'],
'personally_identifiable_information': ['Potential (If '
'Accounts '
'Compromised)'],
'sensitivity_of_data': ['High (Account Takeover Risk)'],
'type_of_data_compromised': ['Customer Account Credentials '
'(Potential)']},
'description': 'Threat actors are exploiting a critical improper input '
'validation flaw (CVE-2025-54236, CVSS score: 9.1) in Adobe '
'Commerce and Magento Open Source platforms to take over '
'customer accounts via the Commerce REST API. Over 250 attack '
'attempts have been recorded in the past 24 hours, with 62% of '
'Magento stores remaining vulnerable six weeks after patch '
'disclosure. Attacks involve dropping PHP webshells or probing '
'phpinfo to extract PHP configuration. The vulnerability, '
"dubbed 'SessionReaper,' was responsibly disclosed by "
'researcher Blaklis and patched by Adobe last month. '
'Exploitation is now confirmed in-the-wild, with IP addresses '
'linked to malicious activity. A related deserialization flaw, '
'CosmicSting (CVE-2024-34102), was widely exploited in July '
'2024.',
'impact': {'brand_reputation_impact': ['Potential Loss of Trust Due to '
'Unpatched Vulnerabilities'],
'data_compromised': ['Customer Account Data (Potential)'],
'identity_theft_risk': ['High (Due to Account Takeover '
'Capabilities)'],
'operational_impact': ['Account Takeover Risk',
'Unauthorized Access to Customer Data'],
'systems_affected': ['Adobe Commerce Platforms',
'Magento Open Source Platforms']},
'initial_access_broker': {'backdoors_established': ['PHP Webshells'],
'entry_point': ['Commerce REST API (CVE-2025-54236)',
'PHP File Upload '
"('/customer/address_file/upload')"],
'high_value_targets': ['Customer Account Data',
'PHP Configuration '
'Information']},
'investigation_status': 'Ongoing (Active Exploitation Confirmed)',
'lessons_learned': ['Delayed patching increases exploitation risk, as seen '
'with 62% of Magento stores remaining vulnerable six '
'weeks post-disclosure.',
'Deserialization flaws in e-commerce platforms are '
'high-value targets for threat actors, requiring '
'prioritized remediation.',
'Public PoC exploits accelerate attack timelines, '
'necessitating proactive monitoring and defense-in-depth '
'strategies.'],
'motivation': ['Unauthorized Access',
'Data Theft',
'Potential Financial Gain',
'Reconnaissance'],
'post_incident_analysis': {'corrective_actions': ['Mandatory patch '
'enforcement for critical '
'vulnerabilities in Adobe '
'Commerce/Magento.',
'Enhanced API security '
'controls (e.g., input '
'validation, rate '
'limiting).',
'Automated vulnerability '
'management for e-commerce '
'platforms with SLAs for '
'patching.',
'Threat intelligence '
'sharing to preempt '
'exploitation of newly '
'disclosed flaws.'],
'root_causes': ['Improper input validation in '
'Adobe Commerce REST API '
'(CVE-2025-54236).',
'Delayed patch application by 62% '
'of Magento stores '
'post-disclosure.',
'Lack of sufficient monitoring for '
'deserialization-based attacks in '
'e-commerce platforms.']},
'recommendations': ['Immediately apply Adobe’s security patches for '
'CVE-2025-54236 and CVE-2024-34102.',
'Monitor network traffic for connections to/from the '
'identified malicious IP addresses (34.227.25[.]4, '
'44.212.43[.]34, 54.205.171[.]35, 155.117.84[.]134, '
'159.89.12[.]166).',
'Audit PHP upload directories (e.g., '
"'/customer/address_file/upload') for unauthorized "
'webshells or backdoors.',
'Implement Web Application Firewalls (WAFs) with rules to '
'detect and block exploitation attempts targeting REST '
'APIs.',
'Conduct regular vulnerability scans and penetration '
'testing for e-commerce platforms, prioritizing '
'deserialization and input validation flaws.',
'Educate developers on secure coding practices to '
'mitigate improper input validation and deserialization '
'risks.'],
'references': [{'source': 'Sansec Advisory on CVE-2025-54236 Exploitation'},
{'source': 'Adobe Security Bulletin for CVE-2025-54236'},
{'source': 'Searchlight Cyber Technical Analysis of '
'CVE-2025-54236'}],
'response': {'communication_strategy': ['Public Advisory by Sansec',
'Revised Adobe Security Bulletin'],
'containment_measures': ['Urgent Patch Application Recommended'],
'enhanced_monitoring': ['Monitor for Attacks from Known '
'Malicious IPs'],
'remediation_measures': ['Apply Adobe Security Updates',
'Monitor for PHP Webshells',
'Restrict Access to '
"'/customer/address_file/upload'"],
'third_party_assistance': ['Sansec (Warning & Analysis)',
'Searchlight Cyber (Technical '
'Analysis)']},
'stakeholder_advisories': ['Adobe Security Bulletin Update',
'Sansec Public Warning'],
'threat_actor': 'Unknown',
'title': 'Exploitation of CVE-2025-54236 (SessionReaper) in Adobe Commerce '
'and Magento Open Source Platforms',
'type': ['Vulnerability Exploitation',
'Unauthorized Access',
'Account Takeover',
'Remote Code Execution'],
'vulnerability_exploited': ['CVE-2025-54236 (SessionReaper)',
'CVE-2024-34102 (CosmicSting)']}