{"id":17990,"date":"2022-02-16T15:02:52","date_gmt":"2022-02-16T09:32:52","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=17990"},"modified":"2026-05-26T10:22:57","modified_gmt":"2026-05-26T04:52:57","slug":"critical-0-day-vulnerability-found-in-magento-2","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/vulnerability\/critical-0-day-vulnerability-found-in-magento-2\/","title":{"rendered":"CVE-2022-24086: Critical 0-Day Vulnerability Found in Magento 2 and Adobe Commerce"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>A critical remote code execution (RCE)<\/strong> vulnerability has been recently discovered in Magento 2 and Adobe\u2019s Commerce platforms. And the <strong>vulnerability is said to be actively exploited in the wild<\/strong> by hackers.<br><br>The vulnerability is distinguished as an<em> improper input validation <\/em>bug that can allow attackers to remotely execute commands on the victim&#8217;s website without the need of site access.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to Adobe\u2019s security advisory <a href=\"https:\/\/helpx.adobe.com\/security\/products\/magento\/apsb22-12.html\" target=\"_blank\" rel=\"noreferrer noopener\">released<\/a> this week, the vulnerability obtained <a href=\"https:\/\/helpx.adobe.com\/security\/products\/magento\/apsb22-12.html\" target=\"_blank\" rel=\"noreferrer noopener\">9.8 CVSS Score<\/a> and is currently <strong>affecting websites <\/strong>and eCommerce stores running on unpatched <strong>Adobe Commerce and Magento v2.3 or v2.4<\/strong>.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cAdobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.\u201d, the <a href=\"https:\/\/support.magento.com\/hc\/en-us\/articles\/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12-\" target=\"_blank\" rel=\"noreferrer noopener\">advisory<\/a> further reads.<\/p>\n\n\n<style>\n\n.ctaAstraDemotWrap{\n  padding:35px;\n  border: 6px;\n  background-image: url('https:\/\/cdn-blog.getastra.com\/2024\/08\/838dc804-smallimgicbg.png');\n  background-size: cover;\n  background-repeat: no-repeat;\n  position: relative;\n  background-position: right;\n  height: auto;\n  border-radius: 10px;\n  margin: 20px 0px; \n}\n\n.pentestHeading{\n  color: #575757;\n  font-size: 24px;\n  font-weight: 600;\n  color: #575757;\n  max-width: 450px;\n}\n\n.ctaAstraDemoHead {\n    display: flex;\n    align-items: center;\n    grid-gap: 1rem;\n}\n\n.ctaOne {\n    text-decoration: none;\n    background-color: #2F76F8;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n\n.ctaTwo {\n    text-decoration: none;\n    background-color: #24BC94;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n\n.spanBoldBlue {\n    color: #3078FE;\n    font-weight: 700;\n}\n\n.ctaAstraDemoImg{\n  position: absolute;\n  bottom: 0px;\n  right: -20px;\n  height: 250px;\n  width: 240px;\n}\n\n@media(max-width: 768px){\n\n}\n\n@media(max-width: 576px){\n   .ctaAstraDemoHead {\n      flex-direction: column;\n      align-items: start;\n    }\n   .pentestHeading{\n      font-size: 28px;\n    }\n\n   .ctaAstraDemoImg{\n     display: none;\n  }\n}\n\n<\/style>\n\n<div class=\"ctaAstraDemotWrap\">\n  <p class=\"pentestHeading\">It is one small security loophole v\/s <span class=\"spanBoldBlue\">your entire website or web application.<\/span><\/p>\n  <p style=\"font-size: 16px; line-height: 1.5;\">Get your web app audited with <br \/> Astra\u2019s Continuous Pentest Solution.<\/p>\n\n  <div class=\"ctaAstraDemoHead \">\n    <a href=\"https:\/\/www.getastra.com\/pentest\/features\" class=\"ctaOne\">Explore Features<\/a>\n\n    <a href=\"https:\/\/www.getastra.com\/contact-us?tab=pentest_sales&#038;utm_source=blog&#038;utm_medium=organic&#038;utm_campaign=pentest\" class=\"ctaTwo \">Schedule a meeting<\/a>\n\n\n  <\/div>\n\n  <img decoding=\"async\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/08\/96ad3cf0-girlcta.png\" alt=\"character\" class=\"ctaAstraDemoImg\" \/>\n<\/div>\n\n\n<h2 id=\"what-is-remote-code-execution-rce\" class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_Remote_Code_Execution_RCE\"><\/span><strong>What is Remote Code Execution (RCE)?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Remote code execution is a type of attack that allows an attacker to execute code on a target system, without the need for authentication.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Remote code execution attacks are becoming more and more common, as attackers are increasingly targeting websites with vulnerable code. If your website is not protected against these attacks, you could be at risk of having your data stolen or your server compromised.<\/p>\n\n\n\n<h2 id=\"how-to-fix-cve-2022-24086\" class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_fix_CVE-2022-24086\"><\/span><strong>How to fix CVE-2022-24086?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">After addressing this critical RCE vulnerability, Adobe has now released a patch. If you are running on Adobe Commerce or Magento Open Source then apply one of the following patches:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/magento\/knowledge-base\/blob\/main\/src\/troubleshooting\/known-issues-patches-attached\/assets\/MDVA-43395_EE_2.4.3-p1_v1.patch.zip?raw=true\" target=\"_blank\" rel=\"noopener\">MDVA-43395_EE_2.4.3-p1_v1.patch.zip<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/magento\/knowledge-base\/blob\/main\/src\/troubleshooting\/known-issues-patches-attached\/assets\/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip?raw=true\" target=\"_blank\" rel=\"noopener\">MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Unzip the file and further you can follow the steps mentioned in this article to apply the composer patch: <a href=\"https:\/\/support.magento.com\/hc\/en-us\/articles\/360028367731\" target=\"_blank\" rel=\"noopener\">https:\/\/support.magento.com\/hc\/en-us\/articles\/360028367731<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em><strong>Note:<\/strong> If you run a website, it&#8217;s important to make sure that it is protected from attackers. One of the most common ways for attackers to gain access to your website is through unauthenticated remote code execution vulnerabilities.<\/em><\/p>\n\n\n\n<h2 id=\"preventing-input-validation-attacks\" class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Preventing_Input_Validation_Attacks\"><\/span><strong>Preventing Input Validation Attacks<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A key strategy to prevent input validation attacks is to validate all user-supplied data prior to processing. Validation checks should be simple and fast, but they must also be thorough without allowing the attacker any breathing room.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The goal of the attacker is always to slip through your defenses by finding a weakness in your validation process. Make sure you have taken measures against every known attack vector and that you keep up with current research on new techniques used by attackers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Read Also:<\/strong> <a href=\"https:\/\/www.getastra.com\/blog\/penetration-testing\/owasp\" target=\"_blank\" rel=\"noreferrer noopener\">A Comprehensive Guide to OWASP Penetration Testing<\/a><\/p>\n\n\n\n<h2 id=\"how-can-astra-protect-you-from-cve-2022-24086\" class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_can_Astra_protect_you_from_CVE-2022-24086\"><\/span><strong>How can Astra protect you from CVE-2022-24086?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A <a href=\"https:\/\/www.getastra.com\/services\/continuous-vulnerability-scanning\">continuous vulnerability scanning<\/a> provided in Astra\u2019s Pentest Suite is capable of detecting this RCE vulnerability (CVE-2022-24086). The vulnerability scanner can also recommend steps required to fix this vulnerability.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"457\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2021\/10\/Automated-Scan-1.gif\" alt=\"\" class=\"wp-image-16131\" srcset=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2021\/10\/Automated-Scan-1.gif 800w, \/cdn-cgi\/image\/width=400,height=230,fit=crop,quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2021\/10\/Automated-Scan-1.gif 400w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\"><em>Image: Automated Vulnerability Scanning Dashboard<\/em><\/figcaption><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1156\" height=\"672\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2021\/09\/Automated-scan-results-Astra.png\" alt=\"\" class=\"wp-image-15449\"\/><figcaption class=\"wp-element-caption\"><em>Image: Vulnerability scan results with Astra Pentest (example)<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">With Astra\u2019s Pentest Suite, you can test your web applications and networks with over 3000 automated tests and manual pentesting. The risk-based vulnerability scoring approach along with easy vulnerability management helps your organization patch critical vulnerabilities and other security loopholes on time.<\/p>\n\n\n\n\n\n<p class=\"wp-block-paragraph\"><br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A critical remote code execution (RCE) vulnerability has been recently discovered in Magento 2 and Adobe\u2019s Commerce platforms. And the vulnerability is said to be actively exploited in the wild by hackers.The vulnerability is distinguished as an improper input validation bug that can allow attackers to remotely execute commands on the victim&#8217;s website without the &#8230; <a title=\"CVE-2022-24086: Critical 0-Day Vulnerability Found in Magento 2 and Adobe Commerce\" class=\"read-more\" href=\"https:\/\/www.getastra.com\/blog\/vulnerability\/critical-0-day-vulnerability-found-in-magento-2\/\" aria-label=\"Read more about CVE-2022-24086: Critical 0-Day Vulnerability Found in Magento 2 and Adobe Commerce\">Read more<\/a><\/p>\n","protected":false},"author":91,"featured_media":17991,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[723],"tags":[],"class_list":["post-17990","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/17990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/91"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=17990"}],"version-history":[{"count":7,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/17990\/revisions"}],"predecessor-version":[{"id":47129,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/17990\/revisions\/47129"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/17991"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=17990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=17990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=17990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}