Security News > 2022 > February > Researchers create exploit for critical Magento bug, Adobe updates advisory

Researchers create exploit for critical Magento bug, Adobe updates advisory
2022-02-17 23:24

Security researchers have created exploit code for CVE-2022-24086, the critical vulnerability affecting Adobe Commerce and Magento Open Source that Adobe that patched in an out-of-band update last Sunday.

The vulnerability, which Adobe saw being "Exploited in the wild in very limited attacks," received a severity score of 9.8 out of 10 and adversaries exploiting it can achieve remote code execution on affected systems without the need to authenticate.

Earlier today, Adobe updated its security advisory for CVE-2022-24086 adding a new issue that is now tracked as CVE-2022-24087, which has the same severity score and can lead to the same result when leveraged in attacks.

The researchers told BleepingComputer that attackers leveraging the bug can get "Full access to the target system with web-server privileges."

Positive Technologies researchers told us that developing "a complete exploit is quite a difficult task" if technical details are not available.

The researchers say that they have no plans to publish the proof-of concept exploit code they created or to share it privately within the infosec industry.


News URL

https://www.bleepingcomputer.com/news/security/researchers-create-exploit-for-critical-magento-bug-adobe-updates-advisory/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-16 CVE-2022-24086 Improper Input Validation vulnerability in multiple products
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process.
network
low complexity
adobe magento CWE-20
critical
10.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Adobe 166 68 2164 962 2112 5306
Magento 3 52 119 27 11 209