We would like to bring your attention to the following 0-day exploit we have recently become aware of.
A zero day remote code-execution (RCE) bug in the Magento 2 and Adobe Commerce platforms has been discovered. This vulnerability has been seen to be actively exploited in the wild.
Affected Versions (Both eCommerce Platforms)
-
2.3.7-p2 and earlier
-
2.4.3-p1 and earlier
This vulnerability has been rated as 9.8 out of 10 on the CVSS vulnerability scale. The vulnerability is triggered by improper input validation during the checkout process.
To exploit the vulnerability in its present form, an attacker would need to have administrative privileges in order to be successful.
Remediation
Patches have been made available from Adobe Directly.
-
If you are running Magento 2.3 or 2.4, install the custom patch from Adobe.
-
If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patch.
Versions of Magento 2.3.3 or below, are not directly vulnerable. However, it is advisable to apply this patch to ensure any future weaknesses identified are mitigated.
References:

Offensive Security Is No Longer Optional
Gartner’s 2025 research validates what we’ve long believed: to stay ahead of attackers, organizations must embrace continuous, proactive offensive security.

Inside a Red Team OSINT Operation: Mapping the Human Attack Surface
Most organizations focus on infrastructure. Red teams target people. We explore how OSINT is used to map the human attack surface, and why mid-level employees often…

Atlas AI: Local LLM inside Burp Suite
Atlas AI adds LLM-powered analysis to Burp Suite without sending data to the cloud. Built for offensive security teams who need full local control.