Earlier this week, we wrote about Adobe’s out of band updates to patch a critical vulnerability in Adobe Commerce and Magento Open Source. That vulnerability, CVE-2022-24086, is an improper input validation flaw that allows arbitrary code execution and nets a 9.8/10 CVSS score. Adobe released an out-of-band update on Sunday February 13 to remediate the vulnerability, which has been exploited in the wild.
Unfortunately, the story doesn’t end there. On Thursday, Adobe revised the initial security bulletin to include another emergency patch for yet another zero-day discovered in Magento and Commerce. The new vulnerability, CVE-2022-24087, is also an improper input validation issue that allows arbitrary code execution when exploited. The new vulnerability is equally severe, netting a 9.8/10 CVSSv3.1 score, though Adobe is not aware of exploitation in the wild.
Recommended Remediation
We recommend prioritizing patching as soon as possible for both vulnerabilities (before the weekend, ideally), since Magento has previously been a target for attackers.
If you’re running any of the below Magento or Commerce versions on any platform, you need to patch your systems:
Patches for the affected versions are available on Adobe’s security bulletin. As for any software, we recommend going directly to the vendor site instead of downloading from a 3rd party.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.
