While many security patches are released for Magento 2 (now Adobe Commerce), most of them aim at restricting hackers to take advantage of. For instance, they may require access and insight into your admin area before any harmful action can be taken against you or installed on your site with malicious intentions
On February 13th, 2022, Adobe pulled a patch for critical security vulnerability CVE-2022-24086 after users reported that the software was causing their systems to crash.
What exactly happened?
This week, researchers from cybersecurity firm Sansec uncovered a massive Magecart campaign that has already compromised more than 500 online stores running the Magento 1 eCommerce platform.
The threat actors behind this criminal activity deployed a skimmer loaded onto naturalfreshmall(.)com domain and it seemed like they were trying to get access into customer data as quickly as possible without much care or attention paid towards how dangerous such actions truly are in reality!
What is CVE 2022-24086?
CVE 2022-24086 flaw is an “improper input validation” vulnerability that could be exploited by hackers with administrative privileges to achieve arbitrary code execution on vulnerable systems or stores.
On a scale of 10, the CVE-2022 24086 has received a CVSS score of 9.8, it’s classified as pre-authentication meaning you don’t need credentials for this type of malicious attack!
The CVE-2022-24086 allows unauthenticated remote code execution (RCE), which means that hackers can scan the web for vulnerable sites and penetrate any defenses without much trouble if they don’t install this security update by Adobe soon enough!
This particular exploit will give these criminals control over all aspects of managing an online store, which can be perilous.
CVE 2022-24086 Affects
This hazardous vulnerability affects the following versions of the product:
All platforms operating on the 2.4.3-p1, 2.4.3-p2 and earlier versions of Adobe Commerce (2.3.7-p2 and earlier versions).
All platforms on 2.4.3-p1, 2.4.3-p2 and earlier versions of Magento Open Source (2.3.7-p2 and earlier versions).
Important Note: Adobe Commerce 2.3.3 and lower versions are not affected by CVE 2022-24086.
Alternative Solution to deal with CVE 2022-24086?
Unfortunately, due to the dynamic nature of this vulnerability, it’s not something that can be comprehensively stopped with a Web Application Firewall (WAF) or other external tools. You should proceed with updating the official patch nonetheless because your website may still fall victim even if you don’t take action now – so patching will benefit both yourself and any users on your online store!