Patch now: Adobe releases emergency fix for exploited Commerce,  Magento zero-day

Adobe says the vulnerability is being used in attacks targeting Adobe Commerce users.
Written by Charlie Osborne, Contributing Writer

Adobe has released an emergency patch to tackle a critical bug that is being exploited in the wild. 

On February 13, the tech giant said that the vulnerability impacts Adobe Commerce and Magento Open Source, and according to the firm's threat data, the security flaw is being weaponized "in very limited attacks targeting Adobe Commerce merchants."

Tracked as CVE-2022-24086, the vulnerability has been issued a CVSS severity score of 9.8 out of 10, the maximum severity rating possible. 

The vulnerability is an improper input validation issue, described by the Common Weakness Enumeration (CWE) category system as a bug that occurs when a "product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."

CVE-2022-24086 does not require any administrator privileges to trigger. Adobe says the critical, pre-auth bug can be exploited in order to execute arbitrary code. 

As the vulnerability is severe enough to warrant an emergency patch, the company has not released any technical details, which gives customers time to accept fixes and mitigates further risks of exploit. 

The bug impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. 

Adobe's patches can be downloaded and manually applied here

Earlier this month, Adobe issued security updates for products including Premiere Rush, Illustrator, and Creative Cloud. The patch round tackled vulnerabilities leading to arbitrary code execution, denial-of-service (DoS), and privilege escalation, among other issues. 

Last week, Apple released a fix in iOS 15.3.1 to squash a vulnerability in Apple's Safari browser that could be exploited for arbitrary code execution.

In February's Patch Tuesday, Microsoft resolved 48 vulnerabilities including one publicly-known zero-day security flaw. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards