On Sunday, Adobe released out of band updates to patch a critical vulnerability in Adobe Commerce and Magento Open Source. CVE-2022-24086 is an improper input validation flaw that allows an attacker to execute arbitrary code without credentials or administrative privileges.
The vulnerability has been scored as a 9.8 out of 10 CVSSv3.1, and has been exploited in the wild. This vulnerability draws parallels to a similarly severe vulnerability in Magento in 2015, dubbed “Magento Shoplift” which was exploited in the wild from machines located in Russia, leveraging SQL injection to create administrator accounts. Notably, more than 80% (170,000+ shops) of Magento shops were still unpatched in April of 2015, nearly three months after the patch was released. In today’s threat landscape, such low patch adoption could lead to higher rates of exploitation, with exploit attempts and scanning anticipated to increase greatly now that the vulnerability has been disclosed.
We recommend prioritizing patching as soon as possible (today, ideally), since exploits are being seen in the wild and Magento has previously been a target for attackers. The patch from Adobe is available here for download.
If you’re running Adobe Magento or Commerce 2.4.3p1 and earlier, or 2.3.7-p2 and earlier, you are vulnerable to attack. Versions 2.3.3 and lower are not affected, though eCommerce security firm Sansec recommends manually implementing the patch anyways.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.