02.15.22

Customer Advisory | Critical 0-Day Vulnerability in Adobe Commerce and Magento Open Source Platforms Under Active Exploitation

By Deepwatch

February 15, 2022
Prepared by Deepwatch Threat Intel Team

Key Points:

  • Adobe released updates on February 13 to address a critical security vulnerability, identified as CVE-2022-24086 with a CVSS score of 9.8, that affects its Commerce and Magento Open Source products.
  • The vulnerability is an “improper input validation” flaw that might be exploited to allow arbitrary code execution. Adobe is aware that threat actors have exploited the vulnerability in the Adobe Commerce platform in limited attacks.
  • Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will exploit the vulnerability in Adobe Commerce and Magento Open Source platforms to infect eCommerce stores with credit card skimmers. Therefore, it is recommended that customers update their platform to the latest version, check their payment pages for unauthorized modifications that could indicate skimming activities, and review for possible webshells placed as backdoors.

Overview:

Adobe released updates on February 13 to address a critical security vulnerability, tracked as CVE-2022-24086 with a CVSS score of 9.8, that affects its Commerce and Magento Open Source products. Adobe is aware that threat actors have exploited the vulnerability in the Adobe Commerce platform in limited attacks. 

The vulnerability is an “improper input validation” flaw that might be exploited to allow arbitrary code execution. In addition, threat actors do not need to be authenticated to exploit the vulnerability.

What Products are Affected?

Adobe Commerce:

  • 2.4.3-p1 and earlier versions
  • 2.3.7-p2 and earlier versions

Magento Open Source:

  • 2.4.3-p1 and earlier versions
  • 2.3.7-p2 and earlier versions

What Do I Need to Do?

For customers running Adobe Commerce, it is recommended to update to version MDVA-43395_EE_2.4.3-p1_v1.

For customers running Magento Open Source, it is recommended to update to version MDVA-43395_EE_2.4.3-p1_v1

Deepwatch Threat Intelligence Outlook

Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will exploit the vulnerability in Adobe Commerce and Magento Open Source platforms to infect eCommerce stores with credit card skimmers. This assessment is partly based on the discoveries of Sansec, an eCommerce malware and vulnerability detection company, that revealed on February 8 that a Magecart campaign infected 500 Magento-based stores with a credit card skimmer meant to steal sensitive payment information. All infected stores had the credit card skimmer loaded from the same domain, naturalfreshmall[.]com. Additionally, Sansec learned that the threat actors used a mixture of SQL injection (SQLi) and PHP Object Injection (POI) attacks to gain control of the Magento stores. Therefore, it is recommended that customers update their platform to the latest version, check their payment pages for unauthorized modifications that could indicate skimming activities, and review for possible webshells placed as backdoors.

Subscribe to the Deepwatch Insights Blog