We would like to bring your attention to the following 0-day exploit we have recently become aware of.
A zero day remote code-execution (RCE) bug in the Magento 2 and Adobe Commerce platforms has been discovered. This vulnerability has been seen to be actively exploited in the wild.
Affected Versions (Both eCommerce Platforms)
-
2.3.7-p2 and earlier
-
2.4.3-p1 and earlier
This vulnerability has been rated as 9.8 out of 10 on the CVSS vulnerability scale. The vulnerability is triggered by improper input validation during the checkout process.
To exploit the vulnerability in its present form, an attacker would need to have administrative privileges in order to be successful.
Remediation
Patches have been made available from Adobe Directly.
-
If you are running Magento 2.3 or 2.4, install the custom patch from Adobe.
-
If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patch.
Versions of Magento 2.3.3 or below, are not directly vulnerable. However, it is advisable to apply this patch to ensure any future weaknesses identified are mitigated.
References:

Weaponized patience: the strategic implications of the F5 breach
The F5 breach reveals the growing danger of shared infrastructure attacks. As adversaries learn faster than defenders, the only path to resilience is continuous, adaptive testing.…

Everyone has a plan until they get punched in the face: reflections on the NCSC 2025 annual review
The NCSC Annual Review 2025 delivers a reality check. Highly significant cyber incidents have increased by 50 percent year over year. It’s time to act.

Part 3: CBEST Series – The Future of Threat-Led Penetration Testing
Regulated testing like CBEST is pivotal, but as threats shift, organizations must adopt more strategic, agile threat-led penetration testing. Discover what’s next.