Your hacker Blog

Critical Magento zero-day flaw CVE-2022-24086 actively exploited

Adobe addressed a critical vulnerability (CVE-2022-24086) impacting Magento Open Source products that is being actively exploited in the wild.

Adobe rolled out security updates to address a critical security vulnerability, tracked as CVE-2022-24086, affecting its Commerce and Magento Open Source products that is being actively exploited in the wild.

“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” reads the advisory published by Adobe.

The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.

The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.   

The vulnerability affects the following versions of the products:

ProductVersionPlatform Adobe Commerce2.4.3-p1 and earlier versions  All2.3.7-p2 and earlier versions  AllMagento Open Source2.4.3-p1 and earlier versions       All2.3.7-p2 and earlier versionsAllAdobe Commerce 2.3.3 and lower are not affected by this vulnerability.

Last week, researchers from cybersecurity firm Sansec uncovered a massive Magecart campaign that already compromised more than 500 online stores running the Magento 1 eCommerce platform.

Threat actors behind this campaign deployed a digital skimmer that was being loaded from the naturalfreshmall(.)com domain.

More than 350 ecommerce stores infected with malware in a single day.Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.— Sansec (@sansecio) January 25, 2022An interesting characteristic of this attack is the combination of SQL injection and PHP object injection to take over the Magento store.

Experts pointed out that Magento 1 platform has reached End-of-Life and that for this reason will no longer receive security updates.

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Magento)

The post Critical Magento zero-day flaw CVE-2022-24086 actively exploited appeared first on Security Affairs.