Magento Security Flaw CVE-2022-24086 Hacks are Making a Comeback

Magento CVE Vulnerability

In February, a critical vulnerability (CVE-2022-24086) was found in Magento open source and Commerce. The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.

The vulnerability affected the following versions of the Magento products:

PRODUCTVERSIONPLATFORM
Adobe Commerce2.4.3-p1 and earlier versions All
2.3.7-p2 and earlier versions  All
Magento Open Source2.4.3-p1 and earlier versions   All
2.3.7-p2 and earlier versions  All

Adobe Commerce 2.3.3 and lower were safe from the vulnerability.

But nearly 500 online stores running on the Magento 1 eCommerce platform were compromised. The attack used the SQL and PHP object injection to hack the store. Adobe has released the patches for the Magento 2.

However, Magento 1 platform does not have any support, it has to rely on third-party patches to defend against the vulnerability.

What’s the Update?

Despite the patches and update, the security experts are discovering that hackers are still using the vulnerability to take over the Magento stores.

The researchers have found out that there are primarily three attack variants exploiting CVE-2022-24086 to inject malicious code to websites. All the attacks analyzed by the security firm have been interactive, possibly because the Magento checkout flow is very hard to automate.

First Attack: It used the malicious code as the first and last name to create the account on the Magento store. The injected code processes a command to download a linux executable, which sends the command to a remote server. The remote server gets the fulls access to the database and PHP processes.

Second Attack: In the second attack variant, the hackers injects a PHP backdoor (“health_check.php”) by including template code in the VAT field of the placed order. A new file is created (“pub/media/health_check.php”) to accept commands via POST requests.

Third Attack: The third attack variation uses template code that executes to replace “generated/code/Magento/Framework/App/FrontController/Interceptor.php” with a malicious, backdoored version.

What’s the Solution?

For now, the only solution is to follow Magento security best practices and keep the software updated. Out of the box, you can use keyword monitoring. So in case the linux file from the first attack gets downloaded to your store, you will be notified.

Latest Magento Tips, Guides, & News

Stay updated with new stuff in the Magento ecosystem including exclusive deals, how-to articles, new plugins, and more. 100% Magento Goodness, a promise!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top

🎉 CYBER MONDAY SAVINGS 🎉

75% OFF on
ALL PLANS

Receive the coupon as soon as you
submit the email address. 🚀