Security News > 2022 > February > Adobe: Zero-Day Magento 2 RCE Bug Under Active Attack
A zero-day remote code-execution bug in the Magento 2 and Adobe Commerce platforms has been actively exploited in the wild, Adobe said - prompting an emergency patch to roll out over the weekend.
If you are running Magento 2.3 or 2.4, install the custom patch from Adobe ASAP, ideally within the next few hours;.
If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patch, as it only concerns a few lines;.
SanSec noted on Monday that the bug came to light on Jan. 27, and that "This vulnerability has a similar severity as the Magento Shoplift vulnerability from 2015. At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploit publication."
Updating is important for online merchants: The Magecart group famously targets unpatched versions of Magento in particular, looking for a way to plant credit-card skimmers on the checkout pages of eCommerce websites.
Last week, SanSec reported a wave of skimming attacks targeting more than 500 sites, in particular those using outdated and unsupported Magento 1 implementations.
News URL
https://threatpost.com/adobe-zero-day-magento-rce-attack/178407/
Related news
- Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit (source)
- Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Rackspace monitoring data stolen in ScienceLogic zero-day attack (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Qualcomm patches high-severity zero-day exploited in attacks (source)
- Ivanti warns of three more CSA zero-days exploited in attacks (source)
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- Mozilla fixes Firefox zero-day actively exploited in attacks (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)