Magento Vulnerability Advisory | September 2022

Threat actors are actively exploiting a critical vulnerability in Adobe’s Magento e-commerce platform. Here's what you need to know.

Background

On September 22nd, 2022, security researchers published a report detailing an uptick in threat actors compromising vulnerable instances of the Magento Open-Source and Adobe Commerce e-commerce platform. Customers are advised to update all affected products immediately.

Quick facts: what you need to know now

  • The vulnerability affects Magento Open Source 2.4.3-p1 and earlier versions, Magento Open Source 2.3.7-p2 and earlier versions, Adobe Commerce 2.4.3-p1 and earlier versions , and Adobe Commerce 2.3.7-p2 and earlier versions.
  • Threat actors are actively exploiting an improper input validation vulnerability using a variety of techniques allowing them to use various methods to execute remote code.
  • All methods lead to the code executing and downloading additional malware or giving the attackers a backdoor to execute additional commands.

Next Steps for Magento E-commerce Platform users:

  1. Install the security patches released by Adobe for the affected products. See here for official vendor guidance.
  2. Apply the MDVA-43395 patch first.
  3. Following the first patch, install the MDVA-43443 patch.


If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!