-
Notifications
You must be signed in to change notification settings - Fork 6
/
UPDATE! Threat Intelligence Alert 14.02.22 - Critical Adobe Commerce and Magento Vulnerability Exploited in the Wild.txt
52 lines (26 loc) · 3 KB
/
UPDATE! Threat Intelligence Alert 14.02.22 - Critical Adobe Commerce and Magento Vulnerability Exploited in the Wild.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Threat Intelligence Alert: Critical Adobe Commerce and Magento Vulnerability Exploited in the Wild
Key Details
CVE-2022-24086
Affected Products – Adobe Commerce and Magento Open Source 2.3.3-p1-2.3.7-p2 and 2.4.0-2.4.3-p1
Disclosure Date – 13th February 2022
CVSS Score – 9.8/10
Exploit Released - Yes
Patch Available – Yes
Summary
Adobe released a security update on the 13th February pertaining to a critical vulnerability in its Commerce and Magento Open Source products as it’s reportedly currently being exploited in the wild. It has been assigned CVE-2022-24086 and given a CVSS score of 9.8 (CRITICAL), as it has been identified as an “improper input validation” issue, of which have historically been leveraged to achieve remote code execution.
Additionally, the exploitation of this vulnerability does not require the user to be authenticated, further heightening its severity, although an adversary would need admin privileges for exploitation. This exploit is currently being weaponised in the wild to facilitate directed attacks on Adobe Commerce Merchants.
Mitigation
Users of the affected platforms are advised to update to the newest versions as soon as possible. The following link provides details of the patches, download links as well as instructions for installation: https://support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12-.
NCC Group Actions
NCC Group will continue to track this vulnerability and will update this alert with any critical developments and any emerging IoC’s will be identified and added to our Threat Intelligence Platform for monitoring.
Sources
https://helpx.adobe.com/security/products/magento/apsb22-12.html
https://thehackernews.com/2022/02/critical-magento-0-day-vulnerability.html#
--------------------------------------
Update 18/02/2022:
On the 17th of February, Adobe released an update to CVE-2022-24086 pertaining to the affected versions of Adobe Commerce and Magento Open Source and a new issue. This new issue has been assigned CVE-2022-24087 with the same CVSS score of 9.8, which can be have the same results as the original exploit when leveraged. Adobe have stressed that attempting to block exploitation attemps on a WAF is not a sufficient mitigation as the bug is exploitable "without specific and non-removable constructions in the request.”
Positive Technologies suggest that though a complete exploit has been described as "difficult" for threat actors to develop as technical details are not yet available, (they have no intention of releasing a PoC exploit), we should not underestimate motivated threat actor's determination and persistence.
This development further stresses the importance of updating these two products as soon as possible if in use.
Sources:
https://helpx.adobe.com/security/products/magento/apsb22-12.html
https://www.bleepingcomputer.com/news/security/researchers-create-exploit-for-critical-magento-bug-adobe-updates-advisory/