Adobe Discloses Zero-Day Vulnerability

THE THREAT

On February 13th, Adobe released security patches to address a critical zero-day vulnerability impacting Magento Open-Source products. The vulnerability is tracked as CVE-2022-24086 (CVSS: 9.8); it is an Input Validation vulnerability found in both Adobe Commerce and Magento Open Source. Exploitation of the vulnerability results in arbitrary code execution. This vulnerability is highly concerning as it is pre-authentication; meaning that no prior access is required for successful exploitation.

According to Adobe, exploitation of CVE-2022-24086 has been identified in limited attacks targeting Adobe Commerce merchants. As attacks are ongoing, it is critical that organizations apply the relevant security patches immediately.

What we’re doing about it

• The eSentire Threat Intelligence team is actively tracking this vulnerability for additional details and detection opportunities
• eSentire Managed Vulnerability Service (MVS) will automatically add the relevant plugins for this vulnerability once details are made available

What you should do about it

• After performing a business impact review, apply the relevant security patches provided by Adobe
  • Alternative mitigations are not currently available, raising the importance of ensuring patches are deployed

Additional information

CVE-2022-24086 impacts Adobe Commerce 2.4.3-p1 and 2.3.7-p2 and earlier versions, as well as Magento Open Source 2.4.3-p1 and 2.3.7-p2 and earlier versions. Adobe Commerce version 2.3.3 and lower are not vulnerable.

Details relating to the exploitation of CVE-2022-24086 are not publicly available at this time. Additional details on real world attacks are expected in the near future. The eSentire Threat Intelligence team is actively tracking this vulnerability for additional details and detection opportunities.

References:

[1] https://helpx.adobe.com/security/products/magento/apsb22-12.html