Critical Magento zero-day flaw CVE-2022-24086 actively exploited

Adobe addressed a critical vulnerability (CVE-2022-24086) impacting Magento Open Source products that is being actively exploited in the wild.

Adobe rolled out security updates to address a critical security vulnerability, tracked as CVE-2022-24086, affecting its Commerce and Magento Open Source products that is being actively exploited in the wild.

“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” reads the advisory published by Adobe.

The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.

The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.   

The vulnerability affects the following versions of the products:

Adobe Commerce 2.3.3 and lower are not affected by this vulnerability.

Last week, researchers from cybersecurity firm Sansec uncovered a massive Magecart campaign that already compromised more than 500 online stores running the Magento 1 eCommerce platform.

Threat actors behind this campaign deployed a digital skimmer that was being loaded from the naturalfreshmall(.)com domain.

An interesting characteristic of this attack is the combination of SQL injection and PHP object injection to take over the Magento store.

Experts pointed out that Magento 1 platform has reached End-of-Life and that for this reason will no longer receive security updates.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Magento)