Adobe: Zero-Day Magento 2 RCE Bug Under Active Attack

The vendor issued an emergency fix on Sunday, and eCommerce websites should update ASAP to avoid Magecart card-skimming attacks and other problems.

A zero-day remote code-execution (RCE) bug in the Magento 2 and Adobe Commerce platforms has been actively exploited in the wild, Adobe said – prompting an emergency patch to roll out over the weekend.

The security vulnerability bug (CVE-2022-24086) is a critical affair, allowing pre-authentication RCE arising from improper input validation. It scores 9.8 out of 10 on the CVSS vulnerability-severity scale, but there is one mitigating factor: An attacker would need to have administrative privileges in order to be successful.

It affects versions 2.3.7-p2 and earlier and 2.4.3-p1 and earlier of both eCommerce platforms, according to the advisory.  According to SanSec, which did a deeper dive into patching bug on Magento, the following should be taken into consideration:

If you are running Magento 2.3 or 2.4, install the custom patch from Adobe ASAP, ideally within the next few hours; If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patch, as it only concerns a few lines; And, if you are

Read More: https://threatpost.com/adobe-zero-day-magento-rce-attack/178407/