A critical remote code execution (RCE) vulnerability has been recently discovered in Magento 2 and Adobe’s Commerce platforms. And the vulnerability is said to be actively exploited in the wild by hackers.
The vulnerability is distinguished as an improper input validation bug that can allow attackers to remotely execute commands on the victim’s website without the need of site access.
According to Adobe’s security advisory released this week, the vulnerability obtained 9.8 CVSS Score and is currently affecting websites and eCommerce stores running on unpatched Adobe Commerce and Magento v2.3 or v2.4.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.”, the advisory further reads.
What is Remote Code Execution (RCE)?
Remote code execution is a type of attack that allows an attacker to execute code on a target system, without the need for authentication.
Remote code execution attacks are becoming more and more common, as attackers are increasingly targeting websites with vulnerable code. If your website is not protected against these attacks, you could be at risk of having your data stolen or your server compromised.
How to fix CVE-2022-24086?
After addressing this critical RCE vulnerability, Adobe has now released a patch. If you are running on Adobe Commerce or Magento Open Source then apply one of the following patches:
Unzip the file and further you can follow the steps mentioned in this article to apply the composer patch: https://support.magento.com/hc/en-us/articles/360028367731
Note: If you run a website, it’s important to make sure that it is protected from attackers. One of the most common ways for attackers to gain access to your website is through unauthenticated remote code execution vulnerabilities.
Preventing Input Validation Attacks
A key strategy to prevent input validation attacks is to validate all user-supplied data prior to processing. Validation checks should be simple and fast, but they must also be thorough without allowing the attacker any breathing room.
The goal of the attacker is always to slip through your defenses by finding a weakness in your validation process. Make sure you have taken measures against every known attack vector and that you keep up with current research on new techniques used by attackers.
How can Astra protect you from CVE-2022-24086?
A continuous vulnerability scanning provided in Astra’s Pentest Suite is capable of detecting this RCE vulnerability (CVE-2022-24086). The vulnerability scanner can also recommend steps required to fix this vulnerability.
With Astra’s Pentest Suite, you can test your web applications and networks with over 3000 automated tests and manual pentesting. The risk-based vulnerability scoring approach along with easy vulnerability management helps your organization patch critical vulnerabilities and other security loopholes on time.