CVE-2026-25524

HighPublic PoC

Published: 20 April 2026

Published

20 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can…

trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the deserialization vulnerability by requiring timely flaw remediation through patching to OpenMage LTS version 20.17.0 or later.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by validating uploaded files during image and media handling to reject malicious PHAR files disguised as images.

SI-3 Malicious Code Protection partial match

preventdetect

Mitigates the threat by scanning uploads and media files for malicious code like PHAR deserialization payloads at system entry points.

Security SummaryAI

CVE-2026-25524 is a deserialization vulnerability (CWE-502) in OpenMage LTS, an unofficial community-driven long-term support project for the Magento Community Edition e-commerce platform emphasizing backward compatibility. Prior to version 20.17.0, the software uses PHP functions such as getimagesize(), file_exists(), and is_readable() with potentially attacker-controllable file paths during image validation and media handling. These functions can trigger PHP object deserialization when processing phar:// stream wrapper paths, with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) by uploading a malicious PHAR file disguised as a valid image file, then triggering one of the vulnerable PHP functions with a phar:// path pointing to the uploaded file. Successful exploitation requires high attack complexity (AC:H), such as crafting the PHAR to execute desired payloads upon deserialization, but leads to arbitrary code execution on the server with high impacts on confidentiality, integrity, and availability.

The OpenMage LTS project addresses this in version 20.17.0, as detailed in the release notes at https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0 and security advisory GHSA-fg79-cr9c-7369 at https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369. Security practitioners should upgrade to 20.17.0 or later and review media upload configurations to restrict file types and paths.

Details

CWE(s): CWE-502

Affected Products

openmage

magento

≤ 20.17.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing e-commerce web application via PHAR deserialization, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0
Release Notes · security-advisories@github.com
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fg79-cr9c-7369
Exploit, Vendor Advisory, Mitigation · security-advisories@github.com