Magento themes

Researchers create exploit for critical Magento bug, Adobe updates advisory

Security researchers have created exploit code for CVE-2022-24086, the critical vulnerability affecting Adobe Commerce and Magento Open Source that Adobe patched in an out-of-band update last Sunday.

The vulnerability, which Adobe saw being “exploited in the wild in very limited attacks”, was given a severity score of 9.8 out of 10, and adversaries who exploit it can remotely execute code on affected systems without needing to authenticate.

Earlier today, Adobe updated its security advisory for CVE-2022-24086 by adding a new issue which is now tracked as CVE-2022-24087, which has the same severity score and may lead to the same result when exploited in attacks.

Both are invalid input validation vulnerabilities and the company has released patches for Adobe Commerce and Magento Open Source to address both security issues.

In a tweet today, the offensive team at cybersecurity firm Positive Technologies announced that they have created a reliable exploit for CVE-2022-24086.

The researchers told BleepingComputer that attackers exploiting the bug can gain “full access to the target system with web server privileges.”

They warn that trying to block exploit attempts by implementing a Web Application Firewall (WAF) is not a reliable solution as there are multiple ways to exploit the bug, “without specific constructs and not removable in the query”.

Positive Technologies researchers told us that developing “a complete exploit is quite a difficult task” if the technical details are not available. However, once this obstacle is removed, attacking soft targets “is quite simple and straightforward”.

However, threat actors should not be underestimated. Even if it takes them longer to find an exploit, motivated opponents will invest the effort to develop it.

Online stores are a prime target for hackers looking for payment card data, usually captured by a web skimmer – a malicious script injected into payment forms.

Additionally, as Adobe noted in its advisory, some threat actors are already exploiting CVE-2022-24086 in limited attacks.

According to researchers’ estimates, there are more than 17,000 vulnerable websites, some of which are from “big companies”.

The researchers say they do not intend to release the proof-of-concept (PoC) exploit code they created or share it privately within the infosec industry.

This decision is mainly driven by the large number of websites running unpatched Adobe Commerce and Magento products.

It is recommended that online store administrators install the patches for the two critical vulnerabilities to defend against exploit attempts.

Credited for the second critical bug (CVE-2022-24087) are researchers Eboda and Blaklisthe latter pointing out that the application of the first patch is not sufficient:

Update [February 18, 2022, 06:20 AM EST]: Fabien Schmenglera Magento Certified Developer working for e-commerce tech consultancy firm integer_net, warns that Adobe’s patch for CVE-2022-24087 (MDVA-43443) breaks “Template Styles” CSS configuration in email templates “because all braces are removed to sanitize the entry.”

The developer notes that even so, having “less colorful emails” is a good compromise to not be affected by a remote code execution vulnerability.