On February 18, 2022, Adobe released a patch for CVE-2021-24086 that fixes an RCE bug in the Magento Open Source and Adobe Commerce platforms. The zero-day vulnerability was under active attack last weekend, resulting in Adobe releasing an emergency patch. Discovered by Eboda and Blaklis, CVE-2021-24086 is an arbitrary code execution vulnerability.
This week, researchers at Positive Technologies bypassed the patch for CVE-2021-24086 and reproduced the exploit. The new exploit, now tracked as CVE-2022-24087, is an elevation of privilege vulnerability in the Azure IoT CLI extension.
If an attacker is successful, he could deploy malicious code on a website and attain un-authenticated admin-level privileges. CVE-2022-2487 has a rating of 9.8 on the CVSS vulnerability-scoring system and unlike CVE-2022-24086 (which has limited attacks), has not been exploited in the wild. In Adobe’s update, the company stated that they are aware of the vulnerability, and they’ve released an update for these versions of Adobe Commerce and Magento Open Source:
Although Positive Technologies was able to successfully reproduce CVE-2021-24086, they have yet to share proof-of-concept (PoC) for the exploit with the public. There is a user guide for directions on how to manually install the update, which can be found on the company’s website.
The Positive Technologies team stated that a web application firewall (WAF) won’t help defend against attacks due to the various ways one can leverage the RCE bug. This kind of issue is extremely useful for threat actors looking to skim data from online stores (credit cards).
To resolve this vulnerability, Adobe recommends the following patches for CVE-2021-24087:
At this time, there are no known IoCs. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.
Security updates available for Adobe Commerce APSB22-12 – Adobe Commerce Help Center (magento.com)
Researchers Made a Working Exploit For Adobe's Magento Vulnerability (techdator.net)
Related Reading:
BlackCat Ransomware and Triple Extortion
Contact us for more information about Avertium’s managed security service capabilities.