Adobe patches Magento CMS zero-day
Adobe has released an emergency security update on Sunday to address a zero-day vulnerability in the Magento and Adobe Commerce platforms that was actively abused in the wild by attackers.
The zero-day, tracked as CVE-2022-24086, was described as a pre-authentication remote code execution issue. Adobe said the root cause of the bug was improper input validation.
Versions 2.3.7-p2 and earlier and 2.4.3-p1 and earlier of the Adobe open-source CMS and the Adobe Commerce cloud e-commerce platform are considered vulnerable to attacks and should be updated right away.
In a separate Magento security bulletin, Adobe described the attacks as "very limited."
E-commerce sites are some of the most valuable targets on the internet today, as once they are compromised, they can be infected with malware that steals buyers' payment card data.
These types of attacks, known as web skimmers or Magecart attacks, have been taking place since 2016, and they don't appear to be stopping any time soon.
Just last week, e-commerce security firm SanSec reported about a campaign that infected more than 500 Magento 1.x stores.
More than 350 ecommerce stores infected with malware in a single day.
— Sansec (@sansecio) January 25, 2022
Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.