Magento software

Adobe Commerce and Magento emergency patches follow ‘limited’ in-the-wild attacks on vulnerable deployments

Emma Woollacott February 16, 2022 at 12:24 UTC

Updated: Feb 17, 2022 09:53 UTC

Web administrators are advised to update now

Adobe Commerce and Magento Open Source installations need to be updated following the discovery of a critical vulnerability that has already been exploited in the wild.

The vulnerability – identified as CVE-2022-24086 and with a CVSS severity rating of 9.8 – could allow unauthenticated attackers to snoop a customer’s credit card details and login credentials from unpatched installations.

Adobe Commerce versions 2.4.3-p1 and 2.3.7-p2 and earlier are vulnerable, as well as Magento Open Source versions 2.4.3-p1 and 2.3.7-p2 and earlier.

Keep up to date with the latest e-commerce security news and analysis

The security bug, which stems from improper input validation, allows remote code execution (RCE) by an unauthenticated attacker and was first reported on January 27.

Independent payment security experts noted that steps have been taken to roll out the fix faster than would normally be the case.

Willem de Groot, CEO and founder of Magento security specialist Sansec, said The daily sip: “The emergency patch was released on a Sunday, which is quite unusual. Normally new patches require [developer] agencies to work around the clock to test and implement them for all of their clients. Additionally, Adobe has not yet added the patch to its main Magento repository on GitHub.”

They added, “According to Adobe, this vulnerability has already been exploited in the wild in very limited attacks. This suggests they were rushing to get a fix.”

Skim Reading

Adobe’s release comes just days after Sansec discovered a massive breach of more than 500 stores running the now unsupported Magento 1 software, with more than 350 people infected in a single day.

And in 2015, a large number of websites were compromised by a vulnerability known as Magento Shoplift, which allowed unauthenticated users to access website administration pages and exploit certain pages via injection. SQL.

Adobe admitted that this latest vulnerability has also been exploited in the wild, but “in very limited attacks”. He urges traders to apply the fixes immediately.

“Sansec has not identified any active abuse so far, but as the vulnerability is of the worst possible category – RCE Unauthorized – we expect massive analysis and exploitation in the coming days,” warned of Groot.

“The same thing happened with the infamous Shoplift Magento 1 vulnerability back in 2015. We recommend all merchants implement the fix today.”

An Adobe spokesperson said the company was not ready to comment on the vulnerability beyond the information provided in its security advisory.

YOU MIGHT ALSO LIKE Magecart Group 12 Releases Stealth PHP Skimmer Against Vulnerable Magento Ecommerce Sites