Over the past 24 hours, Sansec has recorded more than 250 attack attempts against multiple online stores. Alarmingly, research indicates that 62% of Magento stores remain vulnerable six weeks after the public disclosure. Website administrators and e-commerce businesses are urged to apply security patches immediately to prevent customer account takeovers and potential data breaches.

The vulnerability was discovered and responsibly disclosed by security researcher Blaklis and was patched by Adobe last month. Threat actors have been leveraging this flaw to upload PHP webshells or probe phpinfo files to extract PHP configuration information. Attack traffic has originated from IP addresses including:

• 34.227.25[.]4
• 44.212.43[.]34
• 54.205.171[.]35
• 155.117.84[.]134
• 159.89.12[.]166

Sansec confirmed that attackers exploit the vulnerability by uploading PHP backdoors via the /customer/address_file/upload endpoint, masquerading as fake session files.

A detailed technical analysis by Searchlight Cyber describes CVE-2025-54236 as a nested deserialization flaw that allows remote code execution (RCE). This makes it the second major deserialization vulnerability affecting Adobe Commerce and Magento in just two years, following the CosmicSting flaw (CVE-2024-34102), which saw widespread exploitation in July 2024.

With proof-of-concept exploits now publicly available, online retailers, developers, and e-commerce administrators must prioritize patching vulnerable Magento and Adobe Commerce installations to safeguard sensitive customer data and prevent cyberattacks.

The post Critical Adobe Commerce & Magento Vulnerability CVE-2025-54236 Under Active Attack – Apply Security Patch Now appeared first on First Hackers News.