More threat actors have been exploiting an already-patched critical security flaw in Magento 2, tracked as CVE-2022-24086, with Sansec researchers discovering three new attack variants leveraging the vulnerability to facilitate remote access trojan injections, reports BleepingComputer.
Attackers behind the first variant have been using a new customer account on the targeted platform with a template code, which allows the deployment of the Linux executable "223sam.jpg" that receives commands from a server in Bulgaria, according to a report from Sansec.
"This attack method defeats some of the security features of the Adobe Commerce Cloud platform, such as a read-only code base and restricted PHP execution under pub/media. The RAT has full access to the database and the running PHP processes, and can be injected on any of the nodes in a multi-server cluster environment," said researchers.
Moreover, PHP backdoor "health_check.php" is being injected in the second attack, while the third attack type involves the use of a backdoored "generated/code/Magento/Framework/App/FrontController/Interceptor.php" version.