Critical backdoor found in MGT Varnish extension
by Sansec Forensics Team
Published in Threat Research − December 15, 2025
Sansec discovered an open backdoor in MGT Varnish, a popular cache manager for online stores. While the backdoor appears to be intended for remote support, it can be exploited by anyone.
| Name | Mgt_Varnish |
| Vulnerable | 1.0.10 and earlier |
| Fixed in | 1.1.0 |
Sansec researchers discovered a critical vulnerability in the popular Varnish module for Magento. This module, developed by MGT Commerce, contains a hidden backdoor that allows remote PHP code execution.
The backdoor was likely inserted to enable remote upgrades and debugging support. However, the protection mechanism can be trivially bypassed and it poses a serious risk to all stores running Mgt_Varnish version 1.0.10 or earlier.
Sansec ran a global Internet scan and found hundreds of vulnerable stores.
How does it work?
The backdoor is located in the feed update controller (Mgt/Varnish/Controller/Feed/Update.php). When activated, it writes attacker-supplied code to a temporary file and executes it as PHP. The code attempts to restrict access to a single IP address (54.84.48.253), apparently used by MGT Commerce:
console-test.mgt.io
feed.mgt-commerce.com
However, there are two flaws in the protection mechanism:
MD5 is unsafe: The "management IP" is hidden using an MD5 hashing function. MD5 has been deprecated since 2004 and can be broken in about 40 seconds using modern hardware.
IP spoofing: The IP check uses
X-Forwarded-Forheaders, which in many configurations can be spoofed by an attacker. This header is typically set by proxies and load balancers, but if not properly validated, an attacker can inject their own value. This effectively allows anyone to execute arbitrary PHP code on the server.
How to check your store
Search for the file Mgt/Varnish/Controller/Feed/Update.php. If it exists and contains md5($remoteAddress) your store is at risk.
The backdoor code has multiple variants with different obfuscation levels, but all versions contain the same vulnerability.
Impact
This vulnerability allows remote code execution (RCE), which means an attacker can:
- Install payment card skimmers to steal customer payment data
- Access and exfiltrate customer databases
- Install persistent backdoors for long-term access
- Modify store functionality or deface the website
- Use the server as part of a botnet or for other malicious activities
Given the critical nature of this vulnerability and the ease of exploitation, all affected stores should be considered potentially compromised.
Recommendations
If you are not using Sansec Shield for active protection of your Magento store, you should:
- Immediately update to Mgt_Varnish version 1.1.0 or later, or replace the module with a high-quality alternative such as Elgentos Varnish Extended.
- Check for signs of a compromise. If you've been running the vulnerable version, assume the worst and audit your server for malicious code
Sansec eComscan detects this backdoor and can help identify if your store has been compromised.
Vendor response
MGT Commerce confirmed the vulnerability and released a fixed version (1.1.0) within two days of being notified. We appreciate their prompt response and cooperation in addressing this critical security issue.
Timeline
| Date | Event |
|---|---|
| 2025-12-09 | Discovery by Sansec, protection added to Sansec Shield |
| 2025-12-10 | MGT Commerce confirms the vulnerability |
| 2025-12-11 | MGT Commerce releases fixed version 1.1.0 |
| 2025-12-15 | Sansec published this warning |
Read more
In this article
Protect your store now!
Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
