Fear the 'SessionReaper': Adobe Commerce Flaw Under Attack
CVE-2025-54236 is a critical flaw in Adobe Commerce (formerly Magento) that allows attackers to remotely take over sessions on the e-commerce platform.
Stay secure with the latest e-commerce cybersecurity trends, news, and tips to protect your online business from cyber threats.
Search across headline titles and summaries.
Background for this topic.
E-commerce is the online sale of goods or services through storefronts, marketplaces, mobile apps, and supporting payment and fulfilment systems. Its important assets include customer identities and addresses, payment data or payment tokens, order records, pricing, and account credentials. Availability and transaction integrity matter alongside confidentiality: customers must be able to place orders, and prices, inventory, and delivery details must not be altered improperly.
Security concerns span public websites and APIs, account takeover and payment fraud, vulnerable third-party components, and integrations with payment, logistics, and marketing providers. TLS protects communications, while strong authentication, secure session handling, input validation, patching, and monitoring help protect accounts and transactions. Payment-card environments may fall under PCI DSS; privacy obligations also govern personal data. E-commerce operators need tested controls for detecting fraud, limiting access, preserving audit records, and responding when systems or transaction data are compromised.
Weekly headline count for the current query.
CVE-2025-54236 is a critical flaw in Adobe Commerce (formerly Magento) that allows attackers to remotely take over sessions on the e-commerce platform.
Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.
The malware, found on a Russian cybercriminal site, impersonates e-commerce payment-processing services such as Stripe to steal user payment data from legitimate websites.
More than 4% of US attempted e-commerce transactions between Thanksgiving and Cyber Monday suspected to be fraudulent.
Findings reveal growing cybersecurity risks in ecommerce, exposing vulnerabilities in PII handling and lack of basic security protections like HTTPS and WAFs
Users of Oracle's ERP for Web storefronts might not be aware of a misconfiguration which could put customer data at risk of exposure.
The infamous payment-skimmer cybercrime organization is exploiting CVE-2024-20720 in Magento for a novel approach to stealing card data.
Cybercriminals who conspire to put credit-card skimmers on e-commerce sites have hit some large vendors in the region.
Online shopping websites often lack basic security protections when it comes to PII, allowing malicious actors to capitalize on consumer data or perpetuate retail and hospitality scams.
Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires -- and other online services likely have the same problems.
The move by the e-commerce kahuna to offer advanced authentication to its 300+ million users has the potential to move the needle on the technology's adoption, security experts say.
Most automated attacks from the regions were against e-commerce and telecommunications organizations.
The global e-commerce company will pay millions of dollars in two separate lawsuits because of privacy and security violations, the FTC says.
New program enables students and early career professionals to learn critical skills required in today's entry-level cybersecurity field, helping address urgent cyber workforce jobs gap.
"Largest attack of its kind": A potent Southeast Asian e-commerce fraud ring has declared war on US retailers, targeting billions in goods in just the past month and forcing mules into its scheme.
Automating your defenses can bring good tidings of great joy.
Study estimates a 16% growth in e-commerce fraud losses in just 12 months.
Users must continually be made aware of new threats, including attacks targeting shipping, the supply chain, email, and hybrid workers.
Analysts find five cookie-stuffing extensions, including one that's Netflix-themed, that track victim browsing and insert rogue IDs into e-commerce sites to rack up fake affiliate payments.