Adobe has released an emergency patch to tackle a critical bug that is being exploited in the wild.
On February 13, the tech giant said that the vulnerability impacts Adobe Commerce and Magento Open Source, and according to the firm’s threat data, the security flaw is being weaponized “in very limited attacks targeting Adobe Commerce merchants.”
Tracked as CVE-2022-24086, the vulnerability has been issued a CVSS severity score of 9.8 out of 10, the maximum severity rating possible.
The vulnerability is an improper input validation issue, described by the Common Weakness Enumeration (CWE) category system as a bug that occurs when a “product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.”
CVE-2022-24086 does not require any administrator privileges to trigger. Adobe says the critical, pre-auth bug can be exploited in order to execute arbitrary code.
As the vulnerability is severe enough to warrant an emergency patch, the company has not released any technical details, which gives customers time to accept fixes and mitigates further risks of exploit.
The bug impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions.