An urgent security fix has been released for Merchants on Magento 2 on the 13th February 2022. This was released as a standalone fix by Adobe over the weekend as it was deemed too critical to wait for the regular release cycle windows.
Adobe informs us that the vulnerability designated as “CVE-2022-24086” has been exploited in the “wild” in very limited attacks targeting Adobe Commerce merchants.
CVE-2022-24086 has been assigned a CVSS score of 9.8. (CVSS = Common Vulnerability Scoring System). CVSS assigns a severity score to vulnerabilities, giving the responders an opportunity to prioritise responses and resources in line with the level of threat. Scores range from 0-10, 10 being the most severe.
These updates resolve a vulnerability rated critical. Successful exploitation by a malicious user could lead to arbitrary code execution. As this issue is now “mainstream” Magento news and in the wild, attacks attempting to use this vulnerability will increase significantly.
The term “in the wild” refers to a vulnerability that is widely published and documented which will result in an increase of attacks using this method.
Adobe has confirmed this affects both Open Source and Commerce Versions unless running a version lower than 2.3.3 - However, we would still advise that this is reviewed and applied manually.
The origin of this vulnerability was first posted on the 27th January 2022 to the CVE database.
If you have any questions about the status of your Magento Store or need help applying the patch, please get in contact with us today!
Further information can be found in the official sources below:
Adobe Security Bulletin
Developer Installation Notes: