In a significant cybersecurity incident, over 250 Magento-based e-commerce stores have been compromised within a 24-hour period. This surge in attacks is attributed to the exploitation of a critical vulnerability, identified as CVE-2025-54236, in Adobe Commerce and Magento Open Source platforms. The flaw, known as SessionReaper, allows attackers to hijack customer accounts through the Commerce REST API.
Adobe addressed this vulnerability last month, crediting security researcher Blaklis for its discovery and responsible disclosure. Despite the availability of patches, e-commerce security firm Sansec reports that approximately 62% of Magento stores remain unpatched six weeks after the public disclosure. This delay in applying security updates has left a substantial number of online retailers exposed to potential exploitation.
The recent attacks have been traced back to several IP addresses, including:
– 34.227.25[.]4
– 44.212.43[.]34
– 54.205.171[.]35
– 155.117.84[.]134
– 159.89.12[.]166
Threat actors are exploiting the vulnerability to upload PHP webshells via the ‘/customer/address_file/upload’ endpoint, masquerading as legitimate sessions. These webshells provide attackers with persistent access to the compromised systems, enabling them to execute arbitrary commands and potentially exfiltrate sensitive data.
The nature of CVE-2025-54236 involves a nested deserialization flaw, which can lead to remote code execution. This type of vulnerability is particularly dangerous as it allows attackers to execute malicious code on the server, potentially leading to full system compromise. The exploitation of deserialization vulnerabilities in Adobe Commerce and Magento platforms is not unprecedented. In July 2024, a similar critical flaw, dubbed CosmicSting (CVE-2024-34102), was widely exploited, underscoring the persistent threat posed by such vulnerabilities.
The current exploitation of CVE-2025-54236 highlights the critical importance of timely patch management. E-commerce platforms are lucrative targets for cybercriminals due to the vast amounts of sensitive customer data they handle, including payment information. Failure to apply security patches promptly can result in significant financial losses, reputational damage, and legal liabilities for affected businesses.
Historical Context:
The Magento platform has a history of being targeted by cybercriminals exploiting various vulnerabilities:
– CosmicSting Exploit (July 2024): A critical deserialization vulnerability (CVE-2024-34102) was exploited, affecting numerous Adobe Commerce and Magento stores.
– Google Tag Manager Abuse (February 2025): Attackers leveraged Google Tag Manager to deploy credit card skimmers on Magento-based e-commerce websites, compromising customer payment information.
– Xurum Attacks (August 2023): A campaign targeting Magento 2 sites exploited a critical vulnerability (CVE-2022-24086) to gain unauthorized access and steal payment data.
These incidents underscore the ongoing threats faced by e-commerce platforms and the necessity for robust security measures.
Recommendations for Magento Store Owners:
1. Immediate Patch Application: Ensure that all security patches released by Adobe are applied promptly to mitigate known vulnerabilities.
2. Regular Security Audits: Conduct comprehensive security assessments to identify and remediate potential weaknesses in your e-commerce platform.
3. Monitor for Suspicious Activity: Implement monitoring tools to detect unusual activities, such as unauthorized file uploads or changes to critical system files.
4. Restrict Access: Limit access to administrative interfaces and APIs to trusted IP addresses and users.
5. Educate Staff: Provide training for employees on security best practices and the importance of timely software updates.
By proactively addressing security vulnerabilities and maintaining vigilant monitoring, Magento store owners can significantly reduce the risk of compromise and protect their customers’ sensitive information.
