CVE-2015-6497
Description
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated remote code execution in Magento SOAP API (V2) on outdated PHP versions (before 5.4.24/5.5.8) via autoloaded file inclusion.
Root
Cause
The vulnerability resides in the create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php of Magento Community Edition (CE) prior to 1.9.2.1 and Enterprise Edition (EE) prior to 1.14.2.1 [1]. The issue is an autoloaded file inclusion vulnerability that occurs when Phar files are processed via PHP's autoloading mechanism [1]. This behavior is present only in older PHP versions—specifically before 5.4.24 or 5.5.8—because it leverages a PHP engine weakness that was patched in early 2014 [1][3]. The authenticated attacker supplies malformed data through the productData parameter to the SOAP V2 API endpoint (index.php/api/v2_soap) [1][3].
Exploitation
To exploit this vulnerability, an attacker must have valid API credentials (username and API key) for the Magento SOAP V2 interface [1]. The attack requires that the target server runs an unpatched PHP version (below 5.4.24 or 5.5.8), which may still be present in older or conservative distributions such as RHEL 7.1 [1]. The attacker crafts a malicious Phar file (or other PHP archive) and uploads it (e.g., as product data). When the API processes the productData parameter, PHP's autoloader includes the attacker-controlled file, leading to code execution [1].
Impact
Successful exploitation allows a remote, authenticated attacker to execute arbitrary PHP code on the Magento web server [1][3]. This can result in full compromise of the e-commerce environment, including theft of credit card data, personal customer information, and admin credentials, as well as modification of store content and transactions [1]. The vulnerability is rated as critical due to the severity of potential data breaches and complete site takeover.
Mitigation
Magento released a bundle of patches (SUPEE-6482) on August 4, 2015, which addresses this issue [1]. The patches are included in Magento CE 1.9.2.1 and EE 1.14.2.1 [1][3]. The primary fix involves sanitizing the productData input to prevent autoloaded file inclusion [1]. Additionally, upgrading PHP to a patched version (5.4.24+, 5.5.8+, or any later supported branch) eliminates the underlying engine vulnerability [1]. Administrators are strongly advised to apply both the Magento update and ensure PHP is up-to-date. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/corePackagist | < 1.9.2.1 | 1.9.2.1 |
Affected products
2- Magento/Magento Community Editiondescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-j4fq-3fm7-wh5vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-6497ghsaADVISORY
- blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.htmlghsax_refsource_MISCWEB
- karmainsecurity.com/KIS-2015-04ghsax_refsource_MISCWEB
- magento.com/security/patches/supee-6482ghsax_refsource_MISCWEB
- packetstormsecurity.com/files/133544/Magento-1.9.2-File-Inclusion.htmlghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2015/Sep/48ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.