CVE-2025-54236

What is Adobe Commerce / Magento?

Adobe Commerce (formerly Magento Commerce) and Magento Open Source are the world's most widely deployed e-commerce platforms, powering hundreds of thousands of online stores globally — from small businesses to large enterprises. The platform handles payment processing, customer accounts, product catalogs, and order management. Magento is a persistent target for threat actors seeking to deploy payment card skimmers (Magecart attacks), steal customer data, and access stored payment credentials. The Commerce REST API provides programmatic access to nearly all store functions and is commonly used by integrations and mobile apps.

Overview

CVE-2025-54236 (nicknamed SessionReaper by Sansec) is a critical improper input validation vulnerability (CWE-20) in Adobe Commerce and Magento Open Source's REST API. The /V1/customers/address_file/upload endpoint accepts file uploads that are stored as PHP session data. On systems using file-based PHP session storage, a maliciously crafted upload triggers a nested deserialization chain that escalates from unauthorized file write to full unauthenticated remote code execution. Mass exploitation began on 22 October 2025, with over 250 stores compromised overnight and over 60% of global Magento stores unpatched at the time of initial exploitation.

Affected Versions

Also update the Custom Attributes Serializable module to version 0.4.0 or higher.

Technical Details

The vulnerability (CWE-20: Improper Input Validation) is in Magento's customer address file upload endpoint and the Custom Attributes module. The REST API endpoint /V1/customers/address_file/upload allows uploading files that are associated with customer address records. These files are stored as PHP-serialized data in session files on the filesystem.

The exploit chain works as follows:

1. Attacker uploads a malicious file via the REST API endpoint — no authentication required.
2. The uploaded content is stored as PHP-serialized session data on the server filesystem.
3. When PHP processes a subsequent request and loads the session data, it deserializes the malicious content.
4. The deserialization triggers a PHP gadget chain in Magento's Custom Attributes Serializable module, escalating from file write to OS command execution.

Observed attack payloads deployed PHP webshells and phpinfo() probes for reconnaissance. The attack does not require any prior account, session, or authentication.

Discovery

Discovered by Blaklis via Adobe's HackerOne bug bounty program in August 2025. Sansec named the vulnerability "SessionReaper" and published the September 9, 2025 disclosure.

Exploitation Context

Mass exploitation began on 22 October 2025, three weeks before the CISA deadline. Over 250 Adobe Commerce and Magento stores were compromised in a single overnight wave — with automated attacks deploying PHP webshells and phpinfo probes. Sansec's threat intelligence reported that over 60% of global Magento stores were still running unpatched versions at the time of mass exploitation. CISA added CVE-2025-54236 to the KEV catalog on 24 October 2025. No specific named threat actor has been attributed; the automated, wide-scale exploitation pattern is consistent with Magecart-affiliated criminal actors known for targeting Magento stores.

Remediation

1. Apply hotfix VULN-32437-2-4-X-patch immediately — download from the Adobe Commerce Marketplace or via Composer. Follow the Adobe APSB25-88 guidance.
2. Update the Custom Attributes Serializable module to version 0.4.0 or higher.
3. Hunt for webshells: search the Magento file system for unexpected .php files in pub/, var/, generated/, or upload directories. Use file integrity monitoring tools (e.g., Sansec eComscan).
4. Review PHP session files in var/session/ for anomalous content — malicious session files contain PHP-serialized gadget chains rather than normal session data.
5. Check for unauthorized admin accounts in Magento Admin → System → All Users.
6. Review payment integrations and checkout pages for Magecart skimmer injection — compromised stores are often subsequently used to harvest payment card data.
7. Enable Magento Two-Factor Authentication for admin accounts to reduce the risk of admin panel takeover following webshell deployment.