Adobe has released an emergency patch to address a critical bug that is being exploited in the wild.
On February 13, the tech giant said the vulnerability affected Adobe Commerce and Magento Open Source, and according to the company’s threat data, the security flaw was weaponized “in very limited attacks targeting Adobe merchants. Trade”.
Tracked as CVE-2022-24086, the vulnerability received a CVSS severity score of 9.8 out of 10, the maximum possible severity rating.
The vulnerability is an improper input validation issue, described by the Common Weakness Enumeration (CWE) category system as a bug that occurs when a “product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are necessary to process the data correctly and securely.”
CVE-2022-24086 does not require admin privileges to trigger. Adobe claims that the critical pre-authorization bug can be exploited to execute arbitrary code.
Because the vulnerability is severe enough to warrant an emergency patch, the company has not released any technical details, giving customers time to accept patches and mitigating the risk of exploitation.
The bug affects Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions.
Adobe patches can be downloaded and applied manually here.
Earlier this month, Adobe released security updates for products like Premiere Rush, Illustrator, and Creative Cloud. The patch cycle addressed vulnerabilities leading to arbitrary code execution, denial of service (DoS), and elevation of privilege, among other issues.
Last week, Apple released a patch in iOS 15.3.1 to eliminate a vulnerability in Apple’s Safari browser that could be exploited to execute arbitrary code.
During February’s Patch Tuesday, Microsoft addressed 48 vulnerabilities, including a publicly known zero-day security flaw.
Previous and related coverage
Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0