























| Name | Mgt_Varnish |
| Vulnerable | 1.0.10 and earlier |
| Fixed in | 1.1.0 |
Sansec researchers discovered a critical vulnerability in the popular Varnish module for Magento. This module, developed by MGT Commerce, contains a hidden backdoor that allows remote PHP code execution.
The backdoor was likely inserted to enable remote upgrades and debugging support. However, the protection mechanism can be trivially bypassed and it poses a serious risk to all stores running Mgt_Varnish version 1.0.10 or earlier.
Sansec ran a global Internet scan and found hundreds of vulnerable stores.
The backdoor is located in the feed update controller (Mgt/Varnish/Controller/Feed/Update.php). When activated, it writes attacker-supplied code to a temporary file and executes it as PHP. The code attempts to restrict access to a single IP address (54.84.48.253), apparently used by MGT Commerce:
console-test.mgt.io
feed.mgt-commerce.com
However, there are two flaws in the protection mechanism:
MD5 is unsafe: The "management IP" is hidden using an MD5 hashing function. MD5 has been deprecated since 2004 and can be broken in about 40 seconds using modern hardware.
IP spoofing: The IP check uses X-Forwarded-For headers, which in many configurations can be spoofed by an attacker. This header is typically set by proxies and load balancers, but if not properly validated, an attacker can inject their own value. This effectively allows anyone to execute arbitrary PHP code on the server.
Search for the file Mgt/Varnish/Controller/Feed/Update.php. If it exists and contains md5($remoteAddress) your store is at risk.
The backdoor code has multiple variants with different obfuscation levels, but all versions contain the same vulnerability.
This vulnerability allows remote code execution (RCE), which means an attacker can:
Given the critical nature of this vulnerability and the ease of exploitation, all affected stores should be considered potentially compromised.
If you are not using Sansec Shield for active protection of your Magento store, you should:
Sansec eComscan detects this backdoor and can help identify if your store has been compromised.
MGT Commerce confirmed the vulnerability and released a fixed version (1.1.0) within two days of being notified. We appreciate their prompt response and cooperation in addressing this critical security issue.
| Date | Event |
|---|---|
| 2025-12-09 | Discovery by Sansec, protection added to Sansec Shield |
| 2025-12-10 | MGT Commerce confirms the vulnerability |
| 2025-12-11 | MGT Commerce releases fixed version 1.1.0 |
| 2025-12-15 | Sansec published this warning |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。