Adobe on Sunday took the unusual step of releasing an out-of-band patch for a critical zero-day vulnerability in Magento 2, open-source e-commerce platform.
In a blog post on Monday, Sansec researchers said the vulnerability — CVE-2022-24086 — allows unauthenticated remote code execution (RCE) — which most researchers agree is the worst possible type. Actual abuse has already been reported and Sansec expects that mass scanning and exploitation will happen within the next 72 hours.
The Sansec researchers said Adobe has been aware of the issue since at least Jan. 27, but opted to issue a patch on Sunday.
Too often, developers build software for how the designers want it to work, rather than how people —including threat actors — actually use it, explained Casey Bisson, head of product and developer relations at BluBracket. Bisson said it took many years for automakers to realize locks and seatbelts were critical features of a car, and that kind of transition is still happening in the software industry now.
“This attack is especially risky because it takes advantage of an execution path that normally shouldn’t exist between user input and the PHP script interpreter,” Bisson said. “Scrubbing user input to prevent injection attacks is always a top priority, but especially so in situations that allow user input to be executed by the script interpreter.”
Mike Parkin, an engineer at Vulcan Cyber, said this new attack against Magento 2 shows how tenacious and creative threat actors are in their efforts to get and maintain a foothold in target environments.
“Adobe’s response is reasonably rapid, considering this vulnerability is being actively exploited,” Parkin said. “Applying the patch should be a high priority for any organization that uses the affected software.”