Feb 15, 2022
56 Views
0 0

Adobe patches actively exploited Magento/Adobe Commerce zero-day

Written by

We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Level Up to Cloud-Based Business Protection. Save 25% Today >

Exploits and vulnerabilities
Posted: by
Adobe has released an emergency advisory for users of its Commerce and Magento platforms. It explains that a critical zero-day vulnerability is actively being exploited in attacks against sites that use these two content management system (CMSs). Users should apply the patch as soon as possible.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability has been assigned CVE-2022-24086.
The flaw is described as an improper input validation vulnerability which could lead to arbitrary code execution. The vulnerability is exploitable without credentials and is rated as critical. It has been rated with a CVSS score of 9.8 out of 10.
A remote and unauthorized attacker can send a malicious request to the application and execute arbitrary code on the target server. Successful exploitation of this vulnerability may result in complete compromise of the affected system.
Adobe says its own security team discovered the flaw but it is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks. No other information has been provided about the vulnerability to limit the possibility of further exploitation.
Needless to say, if you operate one of the affected products, patch now.
Magento is an Adobe company that offers a hosted and self-hosted CMS for web shops. The free version of Magento is open source which offers users the option to make their own changes and allows developers to create extensions for the CMS.
The vulnerability affects Adobe Commerce and Magento Open Source 2.4.3-p1 and earlier versions, as well as 2.3.7-p2 and earlier versions.
Only recently we published a blog about a new Magecart campaign which was aimed at Magento sites, but that campaign primarily targeted the Magento 1 version of the CMS which has reached end-of-life (EOL) and has not been supported since June 30, 2020. Were Magecart to get its hands on this vulnerability, that would raise the number of potential targets by hundreds of thousands.
We have written an extensive post about how to defend your website against skimmers, but in summary, here’s what you need to do to keep your site safe:
Unzip the relevant file which you can select here and follow the instructions in how to apply a composer patch provided by Adobe.
Stay safe, everyone!
SHARE THIS ARTICLE
COMMENTS
You must be logged in to post a comment. Click here to login or connect a social media account to leave a comment.
RELATED ARTICLES
Exploits and vulnerabilities
November 10, 2021 – Another Patch Tuesday has come around, and while it may seem as a calm one for a change, there is enough to patch and update.
A week in security
July 19, 2021 – A roundup of all the most interesting cybersecurity news stories, articles, and happenings of the previous seven days.
Exploits and vulnerabilities
June 9, 2021 – A great many patches from different vendors have been released in the June security updates for Microsoft, Android, SAP, Cisco, and Adobe.
Awareness
May 19, 2021 – You use Have I Been Pwned (HIBP) to check if your data has been compromised. What you do next when pwned takes a couple of steps.
Security world | Week in security
January 7, 2019 – A roundup of last week’s security news from December 31, 2018 to January 6, 2019, including fresh breaches in the New Year, mobile malware, GandCrab, and how we remembered 2018.
ABOUT THE AUTHOR

Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Silouette of person
Contributors

See all threats
Threat Center

Malwarebytes Podcast
Podcast

Book with bookmark
Glossary

Suspicious person
Scams

Write for Malwarebytes Labs
Write for Labs

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
FOR PERSONAL
FOR BUSINESS
COMPANY
ABOUT US
CAREERS
NEWS AND PRESS
MY ACCOUNT
SIGN IN
CONTACT US
GET SUPPORT
CONTACT SALES
© All Rights Reserved
Select your language
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.

source

Article Categories:
Vulnerabilities

Comments are closed.