Security News > 2022 > February > Adobe: Zero-Day Magento 2 RCE Bug Under Active Attack

A zero-day remote code-execution bug in the Magento 2 and Adobe Commerce platforms has been actively exploited in the wild, Adobe said - prompting an emergency patch to roll out over the weekend.
If you are running Magento 2.3 or 2.4, install the custom patch from Adobe ASAP, ideally within the next few hours;.
If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patch, as it only concerns a few lines;.
SanSec noted on Monday that the bug came to light on Jan. 27, and that "This vulnerability has a similar severity as the Magento Shoplift vulnerability from 2015. At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploit publication."
Updating is important for online merchants: The Magecart group famously targets unpatched versions of Magento in particular, looking for a way to plant credit-card skimmers on the checkout pages of eCommerce websites.
Last week, SanSec reported a wave of skimming attacks targeting more than 500 sites, in particular those using outdated and unsupported Magento 1 implementations.
News URL
https://threatpost.com/adobe-zero-day-magento-rce-attack/178407/
Related news
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
- Broadcom fixes three VMware zero-days exploited in attacks (source)
- PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Google fixes Android zero-days exploited in attacks, 60 other flaws (source)