What We Do
How We Do
Resources
Company
Partners
Get Started
Security advisories

Update: Adobe Discloses Zero-Day Vulnerability

February 18, 2022 | 1 MIN READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

Security researchers have identified a bypass for the Adobe patches that were released to address the recently disclosed Adobe zero-day vulnerability CVE-2022-24086 (CVSS: 9.8). Adobe has addressed the vulnerability under a new title, CVE-2022-24087. The new vulnerability has the same criticality score and impact as the previous vulnerability; exploitation allows for pre-authentication Remote Code Execution (RCE). Adobe has also expanded the list of impacted products to include additional versions of both Adobe Commerce and Magento Open Source.

Exploitation of CVE-2022-24086 has already been identified in the wild; eSentire assesses with high confidence that threat actors will alter current exploits in order to bypass the patch and exploit CVE-2022-24087. After performing a business impact review, organizations are strongly recommended to apply the relevant security patches released by Adobe on February 17th, 2022.

What we’re doing about it

What you should do about it

Additional information

Both CVE-2022-24086 and CVE-2022-24087 are pre-authentication vulnerabilities, meaning that no prior access is required for exploitation. Details relating to the exploitation of CVE-2022-24086 are not publicly available at this time. Similar vulnerabilities have been exploited in the past to deploy credit card skimmers and coin miners, host malicious content, and move laterally inside impacted organizations.

Additional details on real world attacks are expected in the near future. The eSentire Threat Intelligence team is actively tracking this vulnerability for additional details and detection opportunities.

Impacted Products:

References:

[1] https://twitter.com/ptswarm/status/1494593464683610115
[2] https://nvd.nist.gov/vuln/detail/CVE-2022-24086
[3] https://helpx.adobe.com/security/products/magento/apsb22-12.html
[4] https://www.esentire.com/security-advisories/adobe-discloses-zero-day-vulnerability

View Most Recent Advisories