Security News > 2022 > February > Adobe: Zero-Day Magento 2 RCE Bug Under Active Attack

A zero-day remote code-execution bug in the Magento 2 and Adobe Commerce platforms has been actively exploited in the wild, Adobe said - prompting an emergency patch to roll out over the weekend.

If you are running Magento 2.3 or 2.4, install the custom patch from Adobe ASAP, ideally within the next few hours;.

If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patch, as it only concerns a few lines;.

SanSec noted on Monday that the bug came to light on Jan. 27, and that "This vulnerability has a similar severity as the Magento Shoplift vulnerability from 2015. At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploit publication."

Updating is important for online merchants: The Magecart group famously targets unpatched versions of Magento in particular, looking for a way to plant credit-card skimmers on the checkout pages of eCommerce websites.

Last week, SanSec reported a wave of skimming attacks targeting more than 500 sites, in particular those using outdated and unsupported Magento 1 implementations.

News URL

https://threatpost.com/adobe-zero-day-magento-rce-attack/178407/