Adobe disclosed in a security advisory yesterday that its e-commerce storefront solutions, Adobe Commerce and Magento, has a critical vulnerability that can be exploited to achieve arbitrary remote code execution. The vulnerability is being tracked as CVE-2022-24086. The company announced in its security advisory that “CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” The vulnerability was assigned a CVSS score of 9.8/10.
Affected versions are currently listed as all versions above 2.3.3 as per the security advisory:
Analyst Notes
Adobe has released patches and updated versions for both Adobe Commerce, v 2.4.3-p1_v1, and Magento Open Source, 2.4.3-p1_v1. Due to reports of active exploitation, organizations should prioritize testing and deploying the latest updates in order to avoid an operational or customer information breach. Critical vulnerabilities should be addressed as soon as possible as once threat actors gain access to an organization’s servers, they often install backdoors, create illegitimate accounts, and deploy other persistence methods.
https://thehackernews.com/2022/02/critical-magento-0-day-vulnerability.html
https://helpx.adobe.com/security/products/magento/apsb22-12.html
