CVE-2022-24086, a significant vulnerability affecting Adobe Commerce and Magento Open Source that Adobe fixed in an out-of-band update last Sunday, has been exploited by security researchers. The flaw, which Adobe says has been “exploited in the wild in very limited assaults,” has a severity rating of 9.8 out of ten, and attackers who exploit it can get remote code execution on susceptible systems without having to authenticate.
Adobe updated their security advisory for CVE-2022-24086 earlier today, adding a new problem, CVE-2022-24087, which has the same severity score as CVE-2022-24086 and can lead to the same consequence when used in attacks. Both are Improper Input Validation flaws, and the business has provided fixes for Adobe Commerce and Magento Open Source to fix the problems.
Positive Technologies’ Offensive Team stated today in a tweet that they have developed a viable attack for CVE-2022-24086. According to the researchers, attackers who exploit the flaw can gain “full access to the target system with web-server privileges.” They caution that using a web application firewall (WAF) to prevent exploitation attempts is ineffective since various methods exploit the flaw “without particular and non-removable constructs in the request.”
If technical data aren’t accessible, Positive Technologies researchers informed that developing “a complete exploit is quite a difficult task.” On the other hand, attacking weak targets “is fairly straightforward and simple” once this stumbling block is removed. However, threat actors should not be overlooked. Motivated attackers will put in the effort to build an exploit, even if it takes them longer.
Money-driven hackers are after credit card data, which is often collected via a web skimmer, which is a malicious script placed into payment forms. Furthermore, as Adobe pointed out in their alert, CVE-2022-2408 is already being used by certain threat actors in limited attacks. According to the researchers, there are more than 17,000 susceptible websites, including those from “major businesses.”
The researchers claim they have no plans to publish or release the proof-of-concept exploit code they developed privately inside the information security sector. The decision was made in part due to many websites still using unpatched Adobe Commerce and Magento products. Online shop managers should install patches for these major vulnerabilities to protect against exploitation efforts.
Researchers Eboda and Blaklis are responsible for the second significant flaw (CVE-2022-24087). The latter emphasizes that implementing the first fix is insufficient.