Security advisories

Adobe Discloses Zero-Day Vulnerability

February 14, 2022 | 1 MIN READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On February 13th, Adobe released security patches to address a critical zero-day vulnerability impacting Magento Open-Source products. The vulnerability is tracked as CVE-2022-24086 (CVSS: 9.8); it is an Input Validation vulnerability found in both Adobe Commerce and Magento Open Source. Exploitation of the vulnerability results in arbitrary code execution. This vulnerability is highly concerning as it is pre-authentication; meaning that no prior access is required for successful exploitation.

According to Adobe, exploitation of CVE-2022-24086 has been identified in limited attacks targeting Adobe Commerce merchants. As attacks are ongoing, it is critical that organizations apply the relevant security patches immediately.

What we’re doing about it

What you should do about it

Additional information

CVE-2022-24086 impacts Adobe Commerce 2.4.3-p1 and 2.3.7-p2 and earlier versions, as well as Magento Open Source 2.4.3-p1 and 2.3.7-p2 and earlier versions. Adobe Commerce version 2.3.3 and lower are not vulnerable.

Details relating to the exploitation of CVE-2022-24086 are not publicly available at this time. Additional details on real world attacks are expected in the near future. The eSentire Threat Intelligence team is actively tracking this vulnerability for additional details and detection opportunities.

References:

[1] https://helpx.adobe.com/security/products/magento/apsb22-12.html

View Most Recent Advisories