Adobe has released an emergency advisory for users of its Commerce and Magento platforms. It explains that a critical zero-day vulnerability is actively being exploited in attacks against sites that use these two content management system (CMSs). Users should apply the patch as soon as possible.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability has been assigned CVE-2022-24086.

The flaw is described as an improper input validation vulnerability which could lead to arbitrary code execution. The vulnerability is exploitable without credentials and is rated as critical. It has been rated with a CVSS score of 9.8 out of 10.

A remote and unauthorized attacker can send a malicious request to the application and execute arbitrary code on the target server. Successful exploitation of this vulnerability may result in complete compromise of the affected system.

Adobe says its own security team discovered the flaw but it is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks. No other information has been provided about the vulnerability to limit the possibility of further exploitation.

Needless to say, if you operate one of the affected products, patch now.

Affected products

Magento is an Adobe company that offers a hosted and self-hosted CMS for web shops. The free version of Magento is open source which offers users the option to make their own changes and allows developers to create extensions for the CMS.

The vulnerability affects Adobe Commerce and Magento Open Source 2.4.3-p1 and earlier versions, as well as 2.3.7-p2 and earlier versions.

Magecart

Only recently we published a blog about a new Magecart campaign which was aimed at Magento sites, but that campaign primarily targeted the Magento 1 version of the CMS which has reached end-of-life (EOL) and has not been supported since June 30, 2020. Were Magecart to get its hands on this vulnerability, that would raise the number of potential targets by hundreds of thousands.

Keeping your site safe

We have written an extensive post about how to defend your website against skimmers, but in summary, here’s what you need to do to keep your site safe:

  • Make sure that the systems used to administer the site are clean of malware.
  • Use strong passwords and do not reuse them.
  • Limit the number of administrators.
  • Keep your site’s software updated.
  • Use a Web Application Firewall (WAF).
  • Know that each dependency is a potential backdoor into your web pages.
  • Use a Content Security Policy (CSP).
  • Make sure you are made aware in case of problems, either by checking yourself or by having it done for you.

How to apply a patch

Unzip the relevant file which you can select here and follow the instructions in how to apply a composer patch provided by Adobe.

Stay safe, everyone!