In February of 2022, Adobe released out-of-band updates to patch a critical vulnerability in Adobe Commerce and Magento Open Source. CVE-2022-24086 is an improper input validation flaw that allows an attacker to execute arbitrary code without credentials or administrative privileges.
The vulnerability has been scored as a 9.8 out of 10 CVSSv3.1, and has been exploited in the wild. This vulnerability parallelsa similarly severe vulnerability in Magento in 2015, dubbed “Magento Shoplift” which was exploited in the wild from machines located in Russia, leveraging SQL injection to create administrator accounts. Notably, more than 80% (170,000+ shops) of Magento shops were still unpatched in April 2015, nearly three months after the patch was released. In today’s threat landscape, such low patch adoption could lead to higher exploitation rates, with exploit attempts and scanning anticipated to increase greatly now that the vulnerability has been disclosed.
Recommended Remediation
We recommend prioritizing patching as soon as possible (today, ideally), since exploits are being seen in the wild and Magento has previously been a target for attackers. The patch from Adobe is available here for download.
If you’re running Adobe Magento or Commerce 2.4.3p1 and earlier, or 2.3.7-p2 and earlier, you are vulnerable to attack. Versions 2.3.3 and lower are not affected, though eCommerce security firm Sansec recommends manually implementing the patch anyways.
Start your free trial now.
Get started with Automox in no time.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
