Web admins urged to update now
Adobe Commerce and Magento Open Source installations need to be updated following the discovery of a critical vulnerability that has already been exploited in the wild.
The vulnerability – tracked as CVE-2022-24086 and with a CVSS severity rating of 9.8 – could allow unauthenticated attackers to skim a customer's credit card details and login credentials from unpatched installations.
Adobe Commerce versions 2.4.3-p1 and 2.3.7-p2 and earlier are vulnerable, along with Magento Open Source 2.4.3-p1 and 2.3.7-p2 and earlier versions.
The security bug, which stems from improper input validation, allows remote code execution (RCE) by an unauthenticated attacker and was first reported on January 27.
Independent payment security experts noted that steps were been taken to roll out the fix more quickly than would normally be the case.
Willem de Groot, managing director and founder of Magento security specialist Sansec, told The Daily Swig: "The emergency patch was released on a Sunday, which is quite unusual. Normally, new patches require [developer] agencies to work around the clock to test and implement these for all of their clients, Also, Adobe has not yet added the fix to their Magento master repository on GitHub."
They added: "According to Adobe, this vulnerability has been exploited in the wild in very limited attacks already. This suggests that they were rushing to get a fix out."
The Adobe release comes just days after Sansec's discovery of a mass breach of more than 500 stores running the now unsupported Magento 1 software, with more than 350 infected in just one day.
And back in 2015, a large number of websites were compromised through a vulnerability known as Magento Shoplift, which allowed unauthenticated users to access administration pages on the website and exploit certain pages via SQL injection.
Adobe admitted this latest vulnerability has also been exploited in the wild, but “in very limited attacks”. It's urging merchants to apply the patches immediately.
"Sansec has not identified active abuse so far, but as the vulnerability is of the worst possible category – unauthorized RCE – we expect mass scanning and exploitation within days," de Groot warned.
"The same thing happened with the infamous Shoplift Magento 1 vulnerability in 2015. We recommend all merchants to implement the patch today."
A spokesperson for Adobe said the company was not prepared to comment on the vulnerability beyond the information given in its security advisory.