Overview
- E-commerce security firm Sansec recorded and blocked more than 250 exploitation attempts against multiple stores within 24 hours.
- The flaw (CVE-2025-54236) enables customer account takeover via the Commerce REST API and, under file-based session configurations, can allow unauthenticated remote code execution, according to a new technical analysis.
- Roughly 62% of online Magento stores have not applied Adobe’s fix six weeks after release, indicating slow patch adoption.
- Observed payloads include PHP webshells and phpinfo probes uploaded as fake sessions via the '/customer/address_file/upload' endpoint, with attempts traced to a small set of IP addresses.
- Researchers warn of likely mass automated exploitation as detailed writeups and proof-of-concept code circulate, urging immediate patching, mitigations, and compromise scans.