On Sunday, Adobe issued an emergency alert to inform users of Adobe Commerce and Magento about a severe zero-day flaw exploited in attacks. The weakness, which has been assigned the number CVE-2022-24086 and 9.8 as the CVSS score, is defined as an improper input validation problem that can lead to arbitrary code execution. Adobe states that the flaw may be exploited without requiring authentication.
The vulnerability affects versions 2.4.3-p1 and earlier of the Magento open source and Adobe Commerce e-commerce platforms, as well as versions 2.3.7-p2 and older of the Adobe Commerce e-commerce platforms. Patches have been produced by Adobe and are distributed as MDVA-43395_EE_2.4.3-p1_v1.
According to Adobe, “CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” Adobe has not given any more details regarding the attacks, and no one has been credited with exposing the issue.
Adobe also stated that it could not provide further information regarding the issue because it also has to preserve its customers’ security and privacy. The company clarified that the vulnerability was found by its internal security team.
E-commerce software flaws are frequently targeted in large-scale cyberattacks. Fraudsters recently attacked more than 500 Magento 1 online businesses, with the intention to plant web skimmers meant to steal user data. The attackers took advantage of several weaknesses and the fact that Magento 1 is no longer receiving security patches.
Only a few vulnerabilities in Adobe’s products have been exploited in cyberattacks since the company decided to abandon Flash. Security flaws in Adobe products, on the other hand, are still lucrative. Adobe corrected Acrobat and Reader issues this month, which earned researchers $150,000 in China’s Tianfu Cup hacking competition in October 2021.