Recently, a major security flaw, CVE-2025-54236, was discovered in the Adobe Commerce and Magento Open Source platforms. This vulnerability has a critical CVSS score of 9.1. At the same time, it creates a huge threat to online retailers because attackers could hijack customer accounts through the Commerce REST API. The alert released by the Dutch cybersecurity firm Sansec is as shocking as it is sobering. Threat actors have already started taking advantage of this vulnerability, with more than 250 attack attempts in just the last 24 hours.
Yet shockingly, even six weeks after this vulnerability went public, an astounding 62% of Magento stores are still unpatched. It’s past time for website administrators to patch these vulnerabilities without delay. Getting patches applied quickly is critical to preventing more widespread exploitation,” said Sansec. With the constant and runaway changes surrounding online security, being constantly on guard is the only way that businesses can protect their customers’ data.
Details of the Vulnerability
CVE-2025-54236 is an improper loop control issue. Threat actors can leverage this vulnerability to steal customer accounts and use them for fraud. This vulnerability underscores a major chink in the armor of the Adobe Commerce ecosystem, aimed directly at its feature-rich REST API capabilities. It allows malicious actors to use this weakness to affect protection over customer information that is sensitive to the customer. This raises serious questions for businesses that depend on these platforms to perform their e-commerce activities.
Apart from CVE-2025-54236, specialists discovered one more critical vulnerability, dubbed CosmicSting (CVE-2024-34102). This flaw was exploited all over July 2024 and gave a CVSS score of 9.8, an alarmingly high score. This previous vulnerability allowed attackers to upload PHP backdoors. They took advantage of the ‘/customer/address_file/upload’ endpoint. To hide their activities, they covered their tracks with a sham session. These two vulnerabilities are related, but they serve as an example of a wider, distressing trend in security flaws. This trend has direct implications on Adobe Commerce and Magento systems.
Urgent Response Needed from Website Administrators
As of this writing, Sansec has been tracking several different attempts by attackers to exploit CVE-2024-54236 against different online stores just within the past 24 hours. This shocking trend further highlights the need for swift action from website operators. Only they can protect their users by deploying the patches we so urgently need them to apply. This in turn will protect their customer bases from being exploited with identity theft and other malicious nefarious activities.
The cybersecurity community is fighting back and closely monitoring the developments. Today they have released PoC exploits and further information about CVE-2025-54236 into the wild. These resources serve as a double-edged sword. On one hand, they ensure that security professionals are aware of new threats, but they provide the tools necessary for future attackers to take advantage of unpatched systems.