Magento has found a new vulnerability in Zend Framework 1 and 2 EMAIL COMPONENT. The component is used by all Magento 1 and Magento 2 software along with other PHP solutions. This vulnerability is serious and can lead to a remote code execution attack if your server uses Sendmail as a mail transport agent.

To protect the site from this vulnerability, one should immediately check the mail sending settings. Go to the system settings used to control the “Reply to” address for emails sent from the Magento store:

Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

If “Set Return-Path” is set to “Yes” and server uses Sendmail, then the store is vulnerable to this exploit. Enterprise Cloud Edition customers do not need to worry about this issue. Magento has already checked the configuration and their store is not at risk.

While Magento team has not yet observed attacks using this vulnerability, the risk is very high. Until patches are available, we strongly recommend to turn off the “Set Return-Path” setting (switch to “No”), regardless of the transport agent used. Magento is currently working to provide patches to close this vulnerability and we expect they will be available in the next several weeks.