Skip to content

Unauthenticated Remote Code Execution in Magento 2 and Adobe Commerce Systems (CVE-2022-24086)

A unauthenticated remote code-execution (RCE) bug in the Magento 2 and Adobe Commerce platforms was originally discovered in February 2022.

  • Resources
  • Glossary
  • Unauthenticated Remote Code Execution in Magento 2 and Adobe Commerce Systems (CVE-2022-24086)

We would like to update you on to the following exploit.

A unauthenticated remote code-execution (RCE) bug in the Magento 2 and Adobe Commerce platforms was originally discovered in February 2022. This vulnerability has been seen to be actively exploited in a new surge of attacks.

Affected Versions (both eCommerce platforms)

  • 2.3.7-p2 and earlier
  • 2.4.3-p1 and earlier

This vulnerability has been rated as 9.8 out of 10 on the CVSS vulnerability scale.

The vulnerability is triggered by improper input validation during the checkout process.

An attacker is able to exploit this vulnerability without being authenticated on the web application (contrary to what previously has been reported). Several methods to exploit the vulnerability were published. A Proof of Concept (PoC) also has been made available to the public.

Remediation

Patches have been made available from Adobe Directly.

  • If you are running Magento 2.3 or 2.4, install the custom patch from Adobe.
  • If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patch.

Versions of Magento 2.3.3 or below are not directly vulnerable. However, it is advised to apply this patch to ensure any future weaknesses identified are mitigated.

References:

Silhouettes of a team standing together in low light, representing collaboration within a Security Operations Center.

SOC Testing: Turning Your Security Operations Centre into a Continuous Learning Engine

SOC testing isn’t just about finding vulnerabilities. It’s about building collaboration, sharpening human judgment, and turning your SOC into a continuous learning engine.
Wooden garden shed where CovertSwarm founder Anders Reeves conceived the idea for continuous penetration testing during COVID-19 lockdown

Why I founded CovertSwarm after annual pen tests failed me

Almost every business I worked for got breached. Our teams did the same thing each time: an occasional pen test, a thick report full of findings,…
Black and white surveillance perspective view of people at a table through a car window, symbolizing covert observation and offensive security reconnaissance

When a former UK Government cyber operations chief says AI is “limitless” in Offensive Security, we should pay attention

Jim Clover says AI has made offensive cyber “limitless.” Attackers are using it now. The horse has already bolted. And if your red team isn’t keeping…