CVE-2022-24086: Critical 0-Day Vulnerability Found in Magento 2 and Adobe Commerce

Updated on: May 2, 2023

CVE-2022-24086: Critical 0-Day Vulnerability Found in Magento 2 and Adobe Commerce

A critical remote code execution (RCE) vulnerability has been recently discovered in Magento 2 and Adobe’s Commerce platforms. And the vulnerability is said to be actively exploited in the wild by hackers.

The vulnerability is distinguished as an improper input validation bug that can allow attackers to remotely execute commands on the victim’s website without the need of site access.

According to Adobe’s security advisory released this week, the vulnerability obtained 9.8 CVSS Score and is currently affecting websites and eCommerce stores running on unpatched Adobe Commerce and Magento v2.3 or v2.4

“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.”, the advisory further reads.

See our Intelligent Firewall and Malware Scanner in action

Stop bad bots, SQLi, RCE, XSS, CSRF, RFI/LFI and thousands of cyberattacks and hacking attempts.
Try Free Trial
Let us know if you like it 😃

What is Remote Code Execution (RCE)?

Remote code execution is a type of attack that allows an attacker to execute code on a target system, without the need for authentication.

Remote code execution attacks are becoming more and more common, as attackers are increasingly targeting websites with vulnerable code. If your website is not protected against these attacks, you could be at risk of having your data stolen or your server compromised.

How to fix CVE-2022-24086?

After addressing this critical RCE vulnerability, Adobe has now released a patch. If you are running on Adobe Commerce or Magento Open Source then apply one of the following patches:

Unzip the file and further you can follow the steps mentioned in this article to apply the composer patch:

Note: If you run a website, it’s important to make sure that it is protected from attackers. One of the most common ways for attackers to gain access to your website is through unauthenticated remote code execution vulnerabilities.

Preventing Input Validation Attacks

A key strategy to prevent input validation attacks is to validate all user-supplied data prior to processing. Validation checks should be simple and fast, but they must also be thorough without allowing the attacker any breathing room.

The goal of the attacker is always to slip through your defenses by finding a weakness in your validation process. Make sure you have taken measures against every known attack vector and that you keep up with current research on new techniques used by attackers.

Read Also: A Comprehensive Guide to OWASP Penetration Testing

How can Astra protect you from CVE-2022-24086?

A continuous vulnerability scanning provided in Astra’s Pentest Suite is capable of detecting this RCE vulnerability (CVE-2022-24086). The vulnerability scanner can also recommend steps required to fix this vulnerability.

Image: Automated Vulnerability Scanning Dashboard
Image: Vulnerability scan results with Astra Pentest (example)

With Astra’s Pentest Suite, you can test your web applications and networks with over 3000 automated tests and manual pentesting. The risk-based vulnerability scoring approach along with easy vulnerability management helps your organization patch critical vulnerabilities and other security loopholes on time.

It is one small security loophole v/s your entire website / web app

Get your web app audited & strengthen your defenses!
See Pricing
Starting from $99/month

Was this post helpful?

Kanishk Tagade

Kanishk Tagade is a B2B SaaS marketer. He is also corporate contributor at many technology magazines. Editor-in-Chief at "", his work is published in more than 50+ news platforms. Also, he is a social micro-influencer for the latest cybersecurity, digital transformation, AI/ML and IoT products.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany