Adobe took the unusual step on Sunday to release an out-of-band patch for a critical zero-day vulnerability in Magento 2, the open-source e-commerce platform.
In a blog post on Monday, Sansec researchers said the vulnerability – CVE-2022-24086 – allows unauthenticated remote code execution (RCE) – which most researchers say is the worst possible type. Actual abuse has already been reported and Sansec expects mass scanning and exploitation to occur within the next 72 hours.
Sansec researchers said Adobe had been aware of the issue since at least January 27, but chose to release a fix on Sunday.
This latest news about a vulnerability affecting Magento 2 comes a week after Sansec researchers detected a breach of more than 500 online stores running the outdated Magento 1 e-commerce platform.
Too often, developers create software based on how the designers want it to work, rather than how people, including threat actors, actually use it, explained Casey Bisson, chief security officer. product and developer relations at BluBracket. Bisson said it took many years for automakers to realize that locks and seatbelts were essential features of a car, and this kind of transition is still happening in the software industry.
“This attack is particularly risky because it takes advantage of an execution path that normally shouldn’t exist between user input and the PHP script interpreter,” Bisson said. “Sanitizing user input to prevent injection attacks is always a top priority, but especially so in situations that allow user input to be executed by the script interpreter.”
Mike Parkin, an engineer at Vulcan Cyber, said this new attack on Magento 2 shows just how tenacious and creative threat actors are in their efforts to gain and maintain a foothold in target environments.
“Adobe’s response is reasonably quick, given that this vulnerability is being actively exploited,” Parkin said. “Fixing should be a priority for any organization using the affected software.”