Update! Attacks on Gambio webshops

Contents

The company Gambio, which develops the webshop software of the same name, released security updates at the end of last week. Gambio strongly recommends that shop operators apply the updates. Cloud-hosted shops were compromised, as were on-premises installations.

This can be seen from a forum post at Gambio. According to this, there is a security update 2026-03 v1.1 for Gambio versions from 4.0 to 4.9 and higher. In total, there are three version branches, each receiving its own update package - for Gambio v4.0 to 4.6, for Gambio v4.7 to v4.8, and for Gambio V4.9 and newer. Users of older Gambio versions should migrate to the newer versions. According to the manufacturer's own statements, the cloud versions have already been updated. An initial patch, version 1.0 of the security update, had apparently caused problems with the shops in which it was applied. Gambio has therefore released a v1.1, which is intended to fix the vulnerability without further symptoms.

The update to the update apparently caused some confusion among shop operators, but the initial post in the Gambio forum now correctly summarizes the situation and also provides a solution in case patch v1.0 causes disruptions in the shop system.

Apparently successful attacks on Gambio shops

Initially not public, but only in emails to customers, Gambio admitted observed attacks on the vulnerabilities. Apparently, malicious actors install a file on the system and thus compromise it. This is suggested by a deleted post in the forum, which has since been deleted. Because other forum users have responded, the text can still be viewed. It suggests that Gambio knows specific indicators of compromise (IOC). According to further posts, attackers create a new subfolder in the "Theme" folder - in one place, a scan from the internet is mentioned for a folder named "gx_se_cache".

Further hints of successful attacks found there indicate copies of shop folders such as "admin" or "includes" in the "Theme" folder. Additionally, in "upload/tmp", there are further folders containing a file named "cache.php" - that does not belong there either.

Hints of specific vulnerabilities

According to the information, there were three security holes in Gambio shop systems until security update 2026-03 v1.1. Data transmitted after article selection in the shop by customers, for example, was insufficiently filtered, making SQL injection possible without prior login. Furthermore, a vulnerability allegedly allows at least denial-of-service attacks, as the system for dynamic price calculation uses some parameters unfiltered. Additionally, the generation of security keys for user authentication in the design area (StyleEdit) was supposedly predictable, as it was based, for example, on the shop's installation date. However, this is described as a theoretical problem - the loophole is probably not relevant for the attacks that have now occurred.

160 cloud shops attacked

Its own page on the Gambio website explains some details about the attacks and vulnerabilities and links to FAQs for shop operators. However, the company only refers to the IOCs found in the customer emails there as well. In contrast, Gambio has provided further information to heise security. According to this, around 160 web shops in the Gambio cloud were attacked. The manufacturer has already contacted affected shop operators directly. Gambio does not provide any information on the number of attacked on-premises installations.

The attacked security vulnerability is an SQL injection vulnerability that attackers can exploit without prior authentication. In the known cases, attackers have read out customer databases, including contact details, order history, and password hashes. Especially if the passwords were still hashed with MD5, they should therefore be considered compromised. However, Gambio recommends triggering a password reset for all customers of affected shops. Furthermore, according to the FAQ, shop operators are obliged to inform end customers in accordance with Article 34 of the GDPR if the shop has been successfully attacked.

According to Gambio, credit card numbers, bank details, and access data to payment providers were not read out. In the FAQ, Gambio points out that no payment data is stored in the Gambio database, but that payments are processed exclusively through external payment providers.

Gambio shop operators should install the updates immediately. The manufacturer's emails with the more specific IOCs may be found in the spam folder. Customers who have not yet seen the email should search there and examine their systems for successful attacks based on the hints in the email.

Gambio webshops were already targeted by attackers at the end of last year. The case of the hijacked "Fänshop" of Baden-Württemberg became known, which is presumably also based on Gambio.

(dmk)