Exploit appeared for a critical vulnerability in Magento, and Adobe fixed a second similar bug

An exploit appeared for a dangerous zero-day vulnerability in Magento and Adobe Commerce (CVE-2022-24086), and Adobe developers discovered that the problem could be exploited in another way, released a new patch and assigned the new vulnerability ID CVE-2022-24087.

Let me remind you that the 0-day vulnerability CVE-2022-24086 (9.8 points out of 10 on the CVSS scale) was discovered and fixed last week. The bug presented an error that allowed remote arbitrary code execution without authentication. According to Adobe, the root of the problem was incorrect input validation.

As early as last week, the company warned that this problem was already being abused by hackers, albeit in rare targeted attacks so far. In total, researchers estimate that there are more than 17,000 sites vulnerable to this problem, some of which are owned by large enterprises.

Adobe has now updated the security bulletin for CVE-2022-24086 with a new issue that has the ID CVE-2022-24087 and the same CVSS score. The new problem can also lead to remote code execution and be used in attacks. The company’s specialists have already released additional patches for Adobe Commerce and Magento Open Source.

The discovery of the second critical error (CVE-2022-24087) is attributed to information security researchers known under the pseudonyms Eboda and Blaklis. Moreover, they emphasize that applying only the first patch is not enough.

Interestingly, according to Fabian Schmengler, another information security specialist and certified Magento developer, the latest fix for CVE-2022-24087 (MDVA-43443) breaks the CSS configuration for Template Styles in email templates “because all curly braces are removed to clean up input”. However, he writes that less colourful emails are a good compromise, especially if it allows you not to be exposed to the RCE vulnerability.

In the meantime, Positive Technologies analysts even reported that they had created a working exploit for the original CVE-2022-24086 problem. The researchers report that attackers exploiting this bug can gain “full access to the target system with web server privileges.”

Bleeping Computer, which spoke with experts, says that trying to protect against the exploitation of this bug through the WAF setting can hardly be called a good idea, since the problem can be exploited in several ways that do not imply the presence of “specific and fatal constructs in the request.”

According to Positive Technologies, the development of a full-fledged exploit is a rather difficult task, while the technical details are not available. However, once this hurdle is removed, attacks on vulnerable systems become “reasonably simple and straightforward.”

Recall also that last September Magento-based stores suffered from the biggest attack since 2015.