Critical Adobe Commerce/Magento Vulnerability Exploited in Over 250 Attack Attempts

What happened

Security researchers at e-commerce protection firm Sansec reported that threat actors have begun actively exploiting a recently disclosed vulnerability affecting Adobe Commerce and Magento Open Source. The flaw is tracked as CVE-2025-54236 and carries a CVSS score of 9.1. Sansec recorded more than 250 attack attempts against multiple Magento stores over a 24‑hour period following disclosure.

Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours.

Why this matters — background and context

Magento (branded Adobe Commerce for the paid edition) remains one of the largest e-commerce platforms in use worldwide. Its prevalence makes it an attractive target: a single successful exploit can provide access to payment data, customer records, or storefront infrastructure that attackers can monetize quickly.

• Historically, Magento instances have been a frequent target for large-scale campaigns such as Magecart payment‑skimming operations and mass site compromises. Attackers often scan for unpatched vulnerabilities and automatically exploit vulnerable endpoints at scale.
• A CVSS 9.1 rating indicates a high‑severity issue; vulnerabilities in the improper input validation category commonly enable injection, unauthorized access, or code execution depending on the vulnerable component and the surrounding configuration.
• Mass exploitation attempts within hours or days of disclosure reflect an established pattern: threat actors and automated scanners rapidly incorporate new advisories and proof‑of‑concepts into their toolsets, seeking easy targets before administrators can patch.

Expert analysis — what practitioners should consider

For security teams supporting Magento/Adobe Commerce deployments, this event reinforces several practical lessons:

• Assume rapid weaponization: public disclosure of a high‑severity vulnerability often results in automated scanning and exploit attempts within hours. Exposure windows are short, so rapid assessment and mitigation are essential.
• Prioritize risk‑based patching: maintain an inventory of Adobe Commerce and Magento Open Source versions in production and prioritize patching or mitigations for high CVSS vulnerabilities affecting externally facing components.
• Defensive layering matters: even when a patch is not immediately available or cannot be applied instantly for business reasons, compensating controls (WAF rules, restricting access to admin panels, network segmentation) can meaningfully reduce risk.
• Monitor for exploitation indicators: focus log and telemetry analysis on anomalous POST/GET patterns, unexpected parameters, sudden file modifications, new admin accounts, or unusual outbound telemetry from web servers to unknown domains.

Comparable incidents and sector patterns

While this disclosure is the latest in a continuing stream of high‑impact e‑commerce vulnerabilities, the pattern is familiar:

• Magento has been targeted repeatedly by payment‑skimming groups that compromise storefronts and inject malicious JavaScript into payment pages. Those campaigns typically rely on phishing, outdated extensions, or platform vulnerabilities to gain initial access.
• Large‑scale automated exploitation of newly disclosed CMS and e‑commerce vulnerabilities is a recurring trend across platforms — threat actors treat public advisories as a playbook for opportunistic mass scanning.
• Organizations that delayed patching in prior incidents frequently saw rapid follow‑on compromises; conversely, those with robust patch management, WAF coverage, and monitoring often contained or prevented exploitation.

Potential risks and practical recommendations

The immediate risk profile depends on the vulnerability’s impact, network exposure, and existing mitigations. Given the critical severity and the rapid exploitation attempts already observed, teams should act on multiple fronts:

• Confirm exposure and prioritize patching
  • Inventory all Adobe Commerce and Magento Open Source installations and their versions. Check with Adobe’s and Magento’s official advisories for patches or vendor guidance and apply fixes as soon as they are verified in staging.
  • Where immediate patching is not possible, follow vendor‑recommended mitigations and consider taking affected components offline until they can be updated.
• Deploy and tune a WAF
  • Implement Web Application Firewall rules to block exploit signatures and anomalous parameter content. Customized WAF rules can buy time while a full patch is scheduled.
• Harden access and restrict attack surface
  • Restrict access to administrative endpoints by IP allowlisting or VPN. Place management interfaces behind additional authentication and monitoring.
  • Disable or remove unused extensions, modules, and endpoints to reduce potential vectors attackers can chain.
• Hunt and monitor for indicators of compromise
  • Search web server and application logs for unusual requests, unexpected POST parameters, sudden spikes in 4xx/5xx errors, or requests to rarely used endpoints.
  • Look for file integrity anomalies (new or changed PHP/JS files), newly created admin users, or scheduled tasks that were not authorized.
  • Correlate logs with network telemetry to spot unusual outbound connections that might indicate data exfiltration or C2 callbacks.
• Contain and remediate suspected compromises
  • If compromise is suspected, isolate affected systems, preserve logs and forensic snapshots, rotate credentials, and review payment processing paths for signs of skimming or tampering.
  • Coordinate with incident response and legal/compliance teams for customer notification obligations and PCI DSS considerations where payment data may be involved.
• Operational hygiene
  • Ensure backups are current and tested, apply least privilege for application and database accounts, and keep third‑party extensions up to date or replaced if unmaintained.
  • Maintain a patch cadence and vulnerability management process that includes timely assessment of vendor advisories and rapid risk triage.

Detection tips for defenders (practical queries)

Below are non‑exhaustive, high‑level detection activities practitioners can run in their environments. Avoid sharing exploit specifics publicly; focus detection on anomalous behavior:

• Search web logs for unusual or newly seen parameter names and repeated requests that trigger application errors.
• Monitor for unexpected file writes under webroot and for changes to core CMS files and templates.
• Review authentication and admin activity logs for new administrative accounts, privilege escalations, or logins from unfamiliar IP addresses.
• Inspect outgoing network connections from web servers to unknown or suspicious domains, particularly right after a detected suspicious request.

Conclusion

The rapid exploitation activity observed by Sansec underscores the persistent risk faced by operators of Adobe Commerce and Magento Open Source storefronts. A high‑severity improper input validation flaw has already attracted automated attack attempts, demonstrating the short window between disclosure and active exploitation. Organizations should treat this as an urgent operational priority: inventory affected assets, apply vendor guidance and patches, implement compensating controls such as a tuned WAF and restricted admin access, and hunt for indicators of compromise. Proactive monitoring and a layered defense approach remain the most effective ways to limit damage while remediation is underway.

Source: thehackernews.com