All news with #adobe commerce tag

CISA Adds Two Vulnerabilities to Known Exploited Catalog

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation: CVE-2025-54236, affecting Adobe Commerce and Magento, and CVE-2025-59287, affecting Microsoft Windows Server Update Services (WSUS). The issues—an improper input validation flaw and a deserialization of untrusted data vulnerability—are common attack vectors that pose significant risk to enterprise networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by required due dates, and CISA strongly urges all organizations to prioritize timely remediation as part of their vulnerability management.

Over 250 Magento Stores Targeted Using SessionReaper Bug

⚠️ Sansec warns that threat actors have begun exploiting CVE-2025-54236 (SessionReaper) in Adobe Commerce and Magento Open Source, with over 250 attack attempts recorded in 24 hours. The critical (CVSS 9.1) improper input validation flaw can enable customer account takeover via the Commerce REST API, and Adobe released a patch last month. Sansec cautions that 62% of Magento stores remain unpatched six weeks after disclosure, and observed activity includes dropping PHP webshells via '/customer/address_file/upload' and probing phpinfo from several attacker IPs.

Active Exploitation of SessionReaper Flaw in Adobe Magento

⚠️ Sansec reports active exploitation of the critical SessionReaper vulnerability (CVE-2025-54236) affecting Adobe Commerce. The flaw enables account session takeover through the Commerce REST API; observed attacks delivered PHP webshells and phpinfo probes. Researchers report about 62% of stores remain unpatched six weeks after Adobe's emergency update. Administrators should apply Adobe's patch or recommended mitigations immediately.