Zero-Day Adobe Magento 2 RCE Bug Under Active Attack
On Sunday, Adobe issued an emergency fix for a zero-day that is being actively exploited by threat actors. The company advised eCommerce websites and companies alike to update its software as soon as possible in order to avoid Magecart card-skimming attacks and other further risks. The vulnerability lies in the Magneto 2 and Adobe Commerce platforms. Adobe confirmed reports that the bug is being actively exploited in the wild over the weekend, prompting them to release the emergency fix.
The bug allows for pre-authentication RCE due to improper input validation. The vulnerability boasts a 9.8 out of 10 on the CVSS vulnerability severity scale. However, in order to execute the flaw, an attacker would need to have obtained administration privileges on the target’s system in order to be successful. The bug affects versions 2.3.7-p2 and earlier on both eCommerce platforms. The bug was revealed on January 27.