Cyber Resilience

CVE-2026-25524

HighPublic PoCRCE

Published: 20 April 2026

Published
20 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 41.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25524 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Openmage Magento. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25524 is a deserialization vulnerability (CWE-502) in OpenMage LTS, an unofficial community-driven long-term support project for the Magento Community Edition e-commerce platform emphasizing backward compatibility. Prior to version 20.17.0, the software uses PHP functions such as getimagesize(), file_exists(), and is_readable() with potentially attacker-controllable file paths during image validation and media handling. These functions can trigger PHP object deserialization when processing phar:// stream wrapper paths, with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) by uploading a malicious PHAR file disguised as a valid image file, then triggering one of the vulnerable PHP functions with a phar:// path pointing to the uploaded file. Successful exploitation requires high attack complexity (AC:H), such as crafting the PHAR to execute desired payloads upon deserialization, but leads to arbitrary code execution on the server with high impacts on confidentiality, integrity, and availability.

The OpenMage LTS project addresses this in version 20.17.0, as detailed in the release notes at https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0 and security advisory GHSA-fg79-cr9c-7369 at https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369. Security practitioners should upgrade to 20.17.0 or later and review media upload configurations to restrict file types and paths.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can…

more

trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing e-commerce web application via PHAR deserialization, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40488Same product: Openmage Magento
CVE-2024-13899Same product class: CMS core
CVE-2025-1971Same product class: CMS core
CVE-2025-24409Same product class: CMS core
CVE-2026-21289Same product class: CMS core
CVE-2026-34647Same product class: CMS core
CVE-2026-23899Same product class: CMS core
CVE-2026-35221Same product class: CMS core
CVE-2024-40749Same product class: CMS core
CVE-2025-1970Same product class: CMS core

Affected Assets

openmage
magento
≤ 20.17.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the deserialization vulnerability by requiring timely flaw remediation through patching to OpenMage LTS version 20.17.0 or later.

prevent

Prevents exploitation by validating uploaded files during image and media handling to reject malicious PHAR files disguised as images.

preventdetect

Mitigates the threat by scanning uploads and media files for malicious code like PHAR deserialization payloads at system entry points.

References