New Critical RCE Bug Found in Adobe Commerce, Magento

magento security flaw adobe

Adobe updated its recent out-of-band security advisory to add another critical bug, while researchers put out a PoC for the one it emergency-fixed last weekend.

Yet another zero-day bug has been discovered in the Magento Open Source and Adobe Commerce platforms, while researchers have created a working proof-of-concept (PoC) exploit for the recently patched CVE-2022-24086 vulnerability that came under active attack and forced Adobe to push out an emergency patch last weekend.

Attackers could use either exploit to achieve remote code-execution (RCE) from an unauthenticated user.

The new flaw, detailed on Thursday, has the same level of severity assigned to its predecessor, which Adobe patched on Feb. 13. It’s tracked as ​​ CVE-2022-24087 and similarly rated 9.8 on the CVSS vulnerability-scoring system.

Webinar Promo

Click to Register for FREE

Both are improper input validation issues. On Thursday, Adobe updated its advisory for CVE-2022-24086 to add details for CVE-2022-24087, which it described as an elevation of privilege vulnerability in the Azure IoT CLI extension.

“We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said in its revised bulletin.

No Active Attacks for the New Flaw

While the company is aware of “very limited attacks” on Adobe Commerce merchants that have targeted the CVE-2022-24086 flaw, the company said that it’s unaware of any exploits in the wild for CVE-2022-24087.

Positive Technologies researchers said on Thursday that they’ve been able to reproduce the CVE-2022-24086 vulnerability and have created a working exploit.

Both vulnerabilities affect Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2, and 2.4.0 – 2.4.3-p1. However, versions 2.3.0 to 2.3.3 aren’t affected, Adobe said.

The company has provided a guide for users to manually install the security patches.

Researchers Eboda and Blaklis were credited with the discovery of CVE-2022-24087. Blaklis said in a tweet that the first patch to resolve CVE-2022-24086 is “NOT SUFFICIENT” to be safe, urging Magento & Commerce users to update again.

Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.

Suggested articles