CVE-2026-25524
Published: 20 April 2026
Summary
CVE-2026-25524 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Openmage Magento. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the deserialization vulnerability by requiring timely flaw remediation through patching to OpenMage LTS version 20.17.0 or later.
Prevents exploitation by validating uploaded files during image and media handling to reject malicious PHAR files disguised as images.
Mitigates the threat by scanning uploads and media files for malicious code like PHAR deserialization payloads at system entry points.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing e-commerce web application via PHAR deserialization, directly mapping to Exploit Public-Facing Application (T1190).
NVD Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can…
more
trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue.
Deeper analysisAI
CVE-2026-25524 is a deserialization vulnerability (CWE-502) in OpenMage LTS, an unofficial community-driven long-term support project for the Magento Community Edition e-commerce platform emphasizing backward compatibility. Prior to version 20.17.0, the software uses PHP functions such as getimagesize(), file_exists(), and is_readable() with potentially attacker-controllable file paths during image validation and media handling. These functions can trigger PHP object deserialization when processing phar:// stream wrapper paths, with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) by uploading a malicious PHAR file disguised as a valid image file, then triggering one of the vulnerable PHP functions with a phar:// path pointing to the uploaded file. Successful exploitation requires high attack complexity (AC:H), such as crafting the PHAR to execute desired payloads upon deserialization, but leads to arbitrary code execution on the server with high impacts on confidentiality, integrity, and availability.
The OpenMage LTS project addresses this in version 20.17.0, as detailed in the release notes at https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0 and security advisory GHSA-fg79-cr9c-7369 at https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369. Security practitioners should upgrade to 20.17.0 or later and review media upload configurations to restrict file types and paths.
Details
- CWE(s)