In early September, a significant vulnerability tracking as CVE-2025-54236 was discovered in the Magento e-commerce platform. This remote code execution flaw, dubbed SessionReaper, enables attackers to hijack live customer sessions and potentially gain full server control, due to improper input validation. Researchers highlight dire consequences from this flaw, including customer account takeovers and data theft, particularly as unpatched stores expose sensitive consumer data.
The vulnerability stems from Magento’s failure to adequately validate input data, allowing attackers to use crafted session files to impersonate legitimate users. With researchers reporting over 250 compromises within a day of the exploit’s public release, it’s evident that rapid action is needed. Although a patch has been available since September 9, approximately 62% of stores reportedly have not addressed the issue, leading to an urgent need for store owners to secure their platforms. Consumers are advised to be vigilant, avoiding entering personal details on suspicious sites and opting for third-party payment gateways when possible. Keeping software up to date is crucial for enhanced protection against such threats.
👉 Pročitaj original: Malware Bytes
