Emergency Magento update fixes zero-day bug exploited in attacks

Critical Magento patch available in emergency update

Adobe rolled out emergency updates for Adobe Commerce and Magento Open Source to fix a critical vulnerability tracked as CVE-2022-24086 that’s being exploited in the wild.

Technical details about the security issue are not available yet but Adobe highlights that exploiting it does not require authentication and assessed it’s severity to 9.8 out of 10.

Priority patch

Administrators of online stores running Adobe Commerce or Magento Open Source versions 2.4.3-p1/2.3.7-p2 and below are strongly advised to prioritize addressing CVE-2022-24086 and apply the update as soon as possible.

Websites running Adobe Commerce 2.3.3 and lower are not affected by this security vulnerability.

On Sunday, Adobe published an out-of-band security bulletin warning that threat actors are exploiting CVE-2022-24086 “in the wild in very limited attacks targeting Adobe Commerce merchants.”

Hackers successfully leveraging the bug can achieve remote code execution on vulnerable machines without authentication.

Adobe knew about this critical severity flaw since for more than two weeks, since at least January 27, when CVE-2022-24086 was submitted to MITRE’s Common Vulnerabilities and Exposures (CVE) database and received a tracking number.

Sansec, a company offering eCommerce malware and vulnerability detection services, stresses that stores running Magento 2.3 or 2.4 should install the custom patch from Adobe immediately, “ideally within the next few hours.”

For stores using Magento 2 between 2.3.3 and 2.3.7, applying the patch can be done manually, Sansec notes, because the process involves modifying just a few lines.

“If you are running Magento 2.3.3 or below, you are not directly vulnerable. However, Sansec still recommends to manually implement the given patch” – Sansec

The company warns that failing to apply the patch can have severe consequences, similar to the 2015 critical bug Magento Shoplift, discovered by security researchers at cybersecurity company Check Point.

Back then, exploitation started even before the technical details for Magento Shoplift became public in April 2015, with well over 100,000 websites still using a vulnerable version of the e-commerce platform months later.