SanSec found that Magento and Adobe Commerce store owners are deliberately bypassing a critical vulnerability patch released in Spring 2022. Because of this, store sites again become vulnerable to attacks, and some have already been hacked.
Let me remind you that we also talked about the fact that Thousands of Citrix Servers Are Still Vulnerable to Already Fixed Bugs, and also that Adobe developers fixed critical vulnerabilities in Magento.This is a vulnerability CVE-2022-24086 (9.8 points out of 10 on the CVSS scale), which allows remote execution of arbitrary code without authentication and affects Magento and Adobe Commerce. This bug was fixed in February 2022, and even then, the developers warned that hackers were exploiting the vulnerability, albeit in rare targeted attacks.
It soon became clear that the released patch could be easily bypassed, and Adobe introduced the second batch of fixes and assigned a new issue ID (CVE-2022-24087). Also around this time, a PoC exploit appeared that targeted this problem. Massive attacks on the vulnerability began towards the end of 2022.
SanSec analysts explain that in order to fix the vulnerability, Adobe engineers removed smart email templates and replaced the old email template variable resolver with a new one to prevent potential injections. The fact is that the bug allowed attackers to place malicious orders in vulnerable stores, abusing the functionality of email templates, which ultimately led to the seizure of control over the vulnerable site.
But as it turned out now, many vendors and site owners do not like the changes made by the company, some of whom preferred to “return to the original functionality” at the expense of security. In doing so, they again exposed their stores to a critical vulnerability, although they installed all the necessary patches.
According to the company, it got to the point that some vendors tried to either reactivate the old resolver or change the functionality of the new one (by copying code from older versions of Magento).
Moreover, in some cases, people definitely understood what they were doing, as they tried to reduce risks by adding basic filtering of insecure user input to the ordering system. Analysts note that this will not help prevent exploitation of the bug, given that the vulnerability can also be exploited from other subsystems if they are somehow connected with email.
