Private security researchers have made a working exploit for the CVE-2022-24086 vulnerability, which concerns Adobe Commerce and Magento Open Source tools.
Though Adobe released updates to patch this, it’s still the users who may have been lagging and get affected. This vulnerability, if exploited, will let a remote hacker execute code and take admin privileges without any authentication.
Exploit For Adobe eCommerce Software
Since the last couple of weeks, the critical vulnerability tracked as CVE-2022-24086 found in Adobe Commerce and Magento Open Source has been making rounds in the security community. The tools are widely used in several eCommerce websites and achieved a severity score of 9.8/10.
If exploited, this vulnerability will let a remote hacker execute malicious code on a target website and even attain admin-level privileges, all without any authentication. Knowing its sensitivity, Adobe has released an out-of-band update last Sunday to patch it.
Yet, it’s the duty of final site admins to patch it. But today, Adobe updated its security advisory for CVE-2022-24086 for adding a new related vulnerability tracked as CVE-2022-24087. In addition, the offensive security team from Positive Technologies said they created a reliable exploit for the CVE-2022-24086 bug.
🔥 We have reproduced the fresh CVE-2022-24086 Improper Input Validation vulnerability in Magento Open Source and Adobe Commerce.
Successful exploitation could lead to RCE from an unauthenticated user. pic.twitter.com/QFXd7M9VVO
— PT SWARM (@ptswarm) February 17, 2022
With no intentions of sharing it with others, the team said applying a web application firewall (WAF) too can’t help defend from attacks, as there are multiple ways to leverage the bug. This is highly useful for attackers targeting online stores for payment card data and web skimming.
As Adobe noted that hackers are already leveraging this vulnerability in limited attacks, concerning site admins are advised to apply available patches immediately, available from Adobe. As of now, over 17,000 websites are using these vulnerability tools, with some of them being significant businesses, said researchers.