E-commerce security experts at Sansec have issued a warning about active exploitation targeting a newly disclosed Adobe Commerce and Magento Open Source vulnerability. Known as CVE-2025-54236 and nicknamed SessionReaper, this critical security flaw (CVSS score: 9.1) allows attackers to compromise customer accounts through the Commerce REST API.
Over the past 24 hours, Sansec has recorded more than 250 attack attempts against multiple online stores. Alarmingly, research indicates that 62% of Magento stores remain vulnerable six weeks after the public disclosure. Website administrators and e-commerce businesses are urged to apply security patches immediately to prevent customer account takeovers and potential data breaches.
The vulnerability was discovered and responsibly disclosed by security researcher Blaklis and was patched by Adobe last month. Threat actors have been leveraging this flaw to upload PHP webshells or probe phpinfo files to extract PHP configuration information. Attack traffic has originated from IP addresses including:
- 34.227.25[.]4
- 44.212.43[.]34
- 54.205.171[.]35
- 155.117.84[.]134
- 159.89.12[.]166
Sansec confirmed that attackers exploit the vulnerability by uploading PHP backdoors via the /customer/address_file/upload endpoint, masquerading as fake session files.
A detailed technical analysis by Searchlight Cyber describes CVE-2025-54236 as a nested deserialization flaw that allows remote code execution (RCE). This makes it the second major deserialization vulnerability affecting Adobe Commerce and Magento in just two years, following the CosmicSting flaw (CVE-2024-34102), which saw widespread exploitation in July 2024.
With proof-of-concept exploits now publicly available, online retailers, developers, and e-commerce administrators must prioritize patching vulnerable Magento and Adobe Commerce installations to safeguard sensitive customer data and prevent cyberattacks.
Leave A Comment