New Critical RCE Bug Found in Adobe Commerce, Magento

Yet another zero-day bug has been discovered in the Magento Open Source and Adobe Commerce platforms, while researchers have created a working proof-of-concept (PoC) exploit for the recently patched CVE-2022-24086 vulnerability that came under active attack and forced Adobe to push out an emergency patch last weekend.

Attackers could use either exploit to achieve remote code-execution (RCE) from an unauthenticated user.

The new flaw, detailed on Thursday, has the same level of severity assigned to its predecessor, which Adobe patched on Feb. 13. It’s tracked as ​​ CVE-2022-24087 and similarly rated 9.8 on the CVSS vulnerability-scoring system.

Click to Register for FREE

Both are improper input validation issues. On Thursday, Adobe updated its advisory for CVE-2022-24086 to add details for CVE-2022-24087, which it described as an elevation of privilege vulnerability in the Azure IoT CLI extension.

“We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said in its revised bulletin.

No Active Attacks for the New Flaw

While the company is aware of “very limited attacks” on Adobe Commerce merchants that have targeted the CVE-2022-24086 flaw, the company said that it’s unaware of any exploits in the wild for CVE-2022-24087.

Positive Technologies researchers said on Thursday that they’ve been able to reproduce the CVE-2022-24086 vulnerability and have created a working exploit.

> 🔥 We have reproduced the fresh CVE-2022-24086 Improper Input Validation vulnerability in Magento Open Source and Adobe Commerce.
>
> Successful exploitation could lead to RCE from an unauthenticated user. pic.twitter.com/QFXd7M9VVO
>
> — PT SWARM (@ptswarm) February 17, 2022

Both vulnerabilities affect Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2, and 2.4.0 – 2.4.3-p1. However, versions 2.3.0 to 2.3.3 aren’t affected, Adobe said.

The company has provided a guide for users to manually install the security patches.

Researchers Eboda and Blaklis were credited with the discovery of CVE-2022-24087. Blaklis said in a tweet that the first patch to resolve CVE-2022-24086 is “NOT SUFFICIENT” to be safe, urging Magento & Commerce users to update again.

> A new patch have been published for Magento 2, to mitigate the pre-authenticated remote code execution. If you patched with the first patch, THIS IS NOT SUFFICIENT to be safe.
Please update again!<https://t.co/vtYj9Ic6ds&gt;[@ptswarm](&lt;https://twitter.com/ptswarm?ref_src=twsrc^tfw&gt;) (as you had a PoC too!)#magento
>
> — Blaklis (@Blaklis_) February 17, 2022

Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.