The Magento Vulnerability
Adobe released urgent Sunday updates to address a significant security vulnerability affecting its Commerce and Magento Open Source products, which the company claims is currently being actively exploited in the wild.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants,” the company stated in an advisory published on February 13, 2022.
The findings coincide with disclosure by Sansec, an e-commerce malware, and vulnerability detection company, from the last week of a Magecart attack that infected 500 sites running the Magento 1 platform with a credit card skimmer meant to steal private payment details from users.
The vulnerability, which has been tracked as CVE-2022-24086, has a CVSS score of 9.8 out of 10 on the vulnerability rating system and has been described as an “improper input validation” issue that might be exploited to allow for arbitrary code execution to vulnerable systems.
What is more concerning about CVE-2022-24086 is that this is a pre-authenticated vulnerability, which means it might be exploited without the need for any credentials. However, the relieving news that Adobe pointed out is that the vulnerability can only be exploited by an attacker who has administrator privileges over the affected system.
Adobe Commerce and Magento Open Source 2.4.3-p1 and older versions, as well as 2.3.7-p2 and earlier versions, are all affected by the vulnerability, and users of these versions should be aware that they are potential targets of attacks. Adobe Commerce 2.3.3 and earlier versions are NOT affected, though.
Adobe has developed patches for the flaw, which are delivered as MDVA-43395_EE_2.4.3-p1_v1.
There has been no more information released regarding the attacks, and Adobe has not given credit to anyone for reporting the vulnerability. The company informed that it is unable to provide additional information about the vulnerability in order to protect the security and privacy of its customers’ information. A member of the company’s internal security team has found the problem, according to the California-based tech giant.
Leave a Comment