We would like to bring your attention to the following 0-day exploit we have recently become aware of.
A zero day remote code-execution (RCE) bug in the Magento 2 and Adobe Commerce platforms has been discovered. This vulnerability has been seen to be actively exploited in the wild.
Affected Versions (Both eCommerce Platforms)
-
2.3.7-p2 and earlier
-
2.4.3-p1 and earlier
This vulnerability has been rated as 9.8 out of 10 on the CVSS vulnerability scale. The vulnerability is triggered by improper input validation during the checkout process.
To exploit the vulnerability in its present form, an attacker would need to have administrative privileges in order to be successful.
Remediation
Patches have been made available from Adobe Directly.
-
If you are running Magento 2.3 or 2.4, install the custom patch from Adobe.
-
If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patch.
Versions of Magento 2.3.3 or below, are not directly vulnerable. However, it is advisable to apply this patch to ensure any future weaknesses identified are mitigated.
References:
Handala & MuddyWater: MDM Weaponization at Enterprise Scale
On 11 March 2026, an Iranian two-team operation destroyed 200,000 enterprise devices at Stryker without deploying a single piece of malware. One compromised Global Administrator account.…
Why Robbing Banks Is Easy (And Why That Should Terrify You)
A globally recognized ethical hacker shares real social engineering stories from legally robbing banks across five continents. The tools change. The human vulnerabilities don’t.
Swarm Intelligence: Stryker’s Intune wipe proves your BCDR plan has a single point of failure
No malware. No ransomware. One compromised Global Admin account and the management console your IT team used this morning. The Stryker incident proves that when the…