Adobe has announced new patches for the Commerce and Magento e-commerce platforms after researchers discovered that a fix for an actively exploited zero-day can be bypassed.
Adobe informed Commerce and Magento users that it had become aware of a critical vulnerability that allows remote code execution without authentication. The software giant said the flaw, tracked as CVE-2022-24086, has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.
The company updated its initial advisory on Thursday to inform Commerce and Magento users that they need to apply two patches one on top of the other to protect their online stores against attacks. The patches are MDVA-43395 and MDVA-43443.
Researchers discovered that the patch for CVE-2022-24086 can be bypassed, which led Adobe to assign a new CVE identifier, namely CVE-2022-24087. Adobe says it’s not aware of any attacks exploiting this second weakness.
The patch arrives as cybersecurity firm Positive Technologies disclosed it was able to successfully create an exploit for CVE-2022-24086 to gain remote code execution from an unauthenticated user, making it imperative that customers move quickly to apply the fixes to prevent possible exploitation.
The exploitation of CVE-2022-24086 was discovered by adobe internal security team, but it could not share additional information regarding the attacks.
One recent attack involved more than 500 online stores powered by Magento 1, targeted by cybercriminals to plant web skimmers designed to harvest user data. The attackers exploited a combination of flaws and leveraged the fact that Magento 1 no longer receives security updates.