Security experts from e-commerce security firm Sansec have discovered that threat attackers are actively exploiting a vulnerability in Adobe Commerce and Magento Open-Source platforms.
Tracked as CVE-2025-54236, the vulnerability has a critical severity rating with a CVSS score of 9.1. The vulnerability originates from an improper input validation and could allow attackers to hijack customer accounts via the Commerce REST API.
Sansec reports that 62% of Magento stores have yet to apply the necessary fixes, exposing them to the vulnerability six weeks after public disclosure. Adobe has confirmed the active exploitation of the vulnerability in the wild.
The attacks stem from several IP addresses. Threat actors leverage the vulnerability to upload PHP webshells disguised as fake sessions through the /customer/address_file/upload endpoint or to gather PHP configuration details by probing phpinfo.
This vulnerability adds to the recent challenges Adobe Commerce and Magento faced. It follows another serious deserialization vulnerability, CosmicSting (CVE-2024-34102), which was widely exploited last year.
With proof-of-concept exploits now circulating publicly, store owners and administrators must implement the security patches promptly to prevent further compromise.
CISA acknowledged the vulnerability’s active exploitation by adding it to its Known Exploited Vulnerabilities Catalog and urging users to patch it before November 11, 2025.
Qualys Threat Intelligence provided a Qualys Vulnerability Score (QVS) of 95 for the vulnerability. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.
Affected versions
| Product | Version | Platform |
| Adobe Commerce | 2.4.9-alpha2 and earlier
2.4.8-p2 and earlier 2.4.7-p7 and earlier 2.4.6-p12 and earlier 2.4.5-p14 and earlier 2.4.4-p15 and earlier |
All |
| Adobe Commerce B2B | 1.5.3-alpha2 and earlier
1.5.2-p2 and earlier 1.4.2-p7 and earlier 1.3.4-p14 and earlier 1.3.3-p15 and earlier |
All |
| Magento Open Source | 2.4.9-alpha2 and earlier
2.4.8-p2 and earlier 2.4.7-p7 and earlier 2.4.6-p12 and earlier 2.4.5-p14 and earlier |
All |
Mitigation
| Product | Version | Platform |
| Adobe Commerce and Magento Open Source | Hotfix for CVE-2025-54236
Compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 – 2.4.7 |
All |
For more information, please refer to the Adobe Security Advisory (APSB25-88).
Qualys Detection
Qualys customers can scan their devices with QIDs 733319 and 530559 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://helpx.adobe.com/security/products/magento/apsb25-88.html