New Critical RCE Bug Found in Adobe Commerce, Magento

Adobe updated its recent out-of-band security advisory to add another critical bug, while researchers put out a PoC for the one it emergency-fixed last weekend.

Yet another zero-day bug has been discovered in the Magento Open Source and Adobe Commerce platforms, while researchers have created a working proof-of-concept (PoC) exploit for the recently patched CVE-2022-24086 vulnerability that came under active attack and forced Adobe to push out an emergency patch last weekend.

Attackers could use either exploit to achieve remote code-execution (RCE) from an unauthenticated user.

The new flaw, detailed on Thursday, has the same level of severity assigned to its predecessor, which Adobe patched on Feb. 13. It’s tracked as ​​ CVE-2022-24087 and similarly rated 9.8 on the CVSS vulnerability-scoring system.

Webinar Promo

Click to Register for FREE

Both are improper input validation issues. On Thursday, Adobe updated its advisory for CVE-2022-24086 to add details for CVE-2022-24087, which it described as an elevation of privilege vulnerability in the Azure IoT CLI extension.

“We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said in its revised bulletin.

No Active Attacks

Read More: https://threatpost.com/new-critical-rce-bug-found-in-adobe-commerce-magento/178554/