Unauthenticated Remote Code Execution in Magento 2 and Adobe Commerce Systems (CVE-2022-24086)
A unauthenticated remote code-execution (RCE) bug in the Magento 2 and Adobe Commerce platforms was originally discovered in February 2022.
We would like to update you on to the following exploit.
A unauthenticated remote code-execution (RCE) bug in the Magento 2 and Adobe Commerce platforms was originally discovered in February 2022. This vulnerability has been seen to be actively exploited in a new surge of attacks.
Affected Versions (both eCommerce platforms)
- 2.3.7-p2 and earlier
- 2.4.3-p1 and earlier
This vulnerability has been rated as 9.8 out of 10 on the CVSS vulnerability scale.
The vulnerability is triggered by improper input validation during the checkout process.
An attacker is able to exploit this vulnerability without being authenticated on the web application (contrary to what previously has been reported). Several methods to exploit the vulnerability were published. A Proof of Concept (PoC) also has been made available to the public.
Remediation
Patches have been made available from Adobe Directly.
- If you are running Magento 2.3 or 2.4, install the custom patch from Adobe.
- If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patch.
Versions of Magento 2.3.3 or below are not directly vulnerable. However, it is advised to apply this patch to ensure any future weaknesses identified are mitigated.
References:
- https://support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12-
- https://helpx.adobe.com/security/products/magento/apsb22-12.html
- https://www.cvedetails.com/cve/CVE-2022-24086/
- https://www.bleepingcomputer.com/news/security/critical-magento-vulnerability-targeted-in-new-surge-of-attacks/
- https://www.bleepingcomputer.com/news/security/researchers-create-exploit-for-critical-magento-bug-adobe-updates-advisory/
The Evolution of EDR Bypasses: A Historical Timeline
The relationship between Endpoint Detection and Response (EDR) solutions and bypass techniques represents one of cybersecurity’s most dynamic battlegrounds. They are a representation of Cybersecurity as…
Billy Giles joins CovertSwarm as Head of Adversary Simulation for North America
CovertSwarm proudly welcomes Billy Giles as Head of Adversary Simulation for the North America region, strengthening our offensive cybersecurity capabilities and constant cyber attack subscription services.…
ANATOMY OF A BREACH: INSIDE THE MODERN RETAIL ATTACK
Retail breaches don’t start with ransomware. They start with people. From social engineering to persistent access, attackers exploit the unseen gaps in your defenses. Learn how…