Pierluigi Paganini
February 18, 2022
Positive Technologies researchers have created a working PoC exploit for the recently patched CVE-2022-24086 vulnerability affecting its Commerce and Magento Open Source products.
An attacker could use the exploit to achieve remote code execution from an unauthenticated user.
🔥 We have reproduced the fresh CVE-2022-24086 Improper Input Validation vulnerability in Magento Open Source and Adobe Commerce.
— PT SWARM (@ptswarm) February 17, 2022
Successful exploitation could lead to RCE from an unauthenticated user. pic.twitter.com/QFXd7M9VVO
This week, Adobe rolled out security updates to address the critical CVE-2022-24086 flaw that impacts Commerce and Magento Open Source products, the company added that the flaw is being actively exploited in the wild.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” reads the advisory published by Adobe.
The issue is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.
The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.
Experts believe that threat actors could create their own version of the CVE-2022-24086 exploit to conduct attacks in the wild, especially persistent and well-resourced attackers.
The flaw could be exploited to compromise e-stores using a vulnerable version of Magento.
The good news is that the researchers will not publicly release their PoC exploit code.
This week, US Cybersecurity and Infrastructure Security Agency (CISA) added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including the CVE-2022-24086 flaw. CISA orders all Federal Civilian Executive Branch Agencies (FCEB) agencies to address it by March 1st, 2022.
Adobe has also updated the security advisory for this flaw by adding a new Improper Input Validation flaw tracked as CVE-2022-24087 (CVSS score 9.8).
The CVE-2022-24087 flaw was reported by researchers Eboda and Blaklis.
Blaklis warns that admins that have patched with the first patch are not secure even after applying the new updates.
A new patch have been published for Magento 2, to mitigate the pre-authenticated remote code execution. If you patched with the first patch, THIS IS NOT SUFFICIENT to be safe.
— Blaklis (@Blaklis_) February 17, 2022
Please update again!https://t.co/vtYj9Ic6ds@ptswarm (as you had a PoC too!)#magento
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Magento)
[adrotate banner=”5″]
[adrotate banner=”13″]
