Heimdal
article featured image

Contents:

Yesterday, Adobe issued an emergency advisory to notify users of Adobe Commerce and Magento about a critical zero-day vulnerability that has been exploited in attacks.

As per the tech giant’s threat data, the security issue is being used “in very limited attacks targeting Adobe Commerce merchants.”

To address the critical security flaw affecting its products, the American multinational computer software company has developed patches, which are delivered as MDVA-43395 EE 2.4.3-p1 v1.

The vulnerability has been identified as CVE-2022-24086, with a CVSS score of 9.8. It is characterized as an improper input validation issue that can result in arbitrary code execution. According to Adobe, the flaw can be abused without requiring authentication.

However, the California-based firm also stated that the flaw can only be exploited by hackers with administrative privileges.

Affected Products and Versions

The security vulnerability impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. Adobe Commerce versions prior to 2.3.3 are not affected.

Patches from Adobe can be downloaded and manually installed here.

Adobe has not given any other details about the attacks, and no one has been credited with disclosing the weakness.

According to SecurityWeek, the company declared that it is unable to discuss any additional information about the vulnerability in order to protect its customers’ privacy and security.

The company said that its internal security team was the one to find the vulnerability:

Our internal Adobe security team employs technologies that regularly monitor and help us identify and respond when issues occur.

Source

The findings come after Sansec, an e-commerce malware and vulnerability detection firm, revealed last week that a Magecart attack impacted 500 sites powered by Magento 1 with a credit card skimmer intended to collect sensitive payment details.

The cybercriminals took advantage of a combination of vulnerabilities, as well as the fact that Magento 1 is no longer receiving security fixes.

This month, Adobe released patches for products including Premiere Rush, Illustrator, and Creative Cloud. Among other issues, the patch round addressed security flaws that could result in arbitrary code execution, Denial-of-Service (DoS), and privilege escalation.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE