00:00 Adobe Magento 2 RCE Bug Is Vulnerable To Cyber-Attacks | Cybersecurity News
05:17 What can we learn?
According to Adobe, a zero-day remote code execution (RCE) vulnerability in the Magento 2 and Adobe E-commerce platform has been extensively exploited globally, necessitating the release of an emergency fix over the weekend.
The security flaw (CVE-2022-24086) is serious, as it allows for pre-authentication RCE due to incorrect input validation. To be successful, an attacker would need administrative access.
The following steps should be taken into account, according to SanSec, that undertook a thorough look into Magento’s patching bug:
• Install the Adobe custom patch as soon as possible, preferably within the next few hours, if you’re using Magento 2.3 or 2.4.
• You should be able to immediately install the update if you’re running Magento 2 version 2.3.3 or 2.3.7. as it only affects a few lines.
However, if you are using Magento 2.3.3 or lower, you are not immediately vulnerable.
• SanSec, on the other hand, still recommends manually applying the patch.
For online merchants, upgrading is essential: The Magecart group is well-known for targeting unsecured installations of Magento in specific, looking for a way to install credit-card skimmers on eCommerce checkout pages.
#Magento #Magento #RCE #SanSec #Zero-day