CVE-2022-24086 and CVE-2022-24087 – zero-day vulnerabilities in Magento Open Source and Adobe Commerce

On Sunday (February 13th), Adobe released a patch for a critical zero-day vulnerability in all current Adobe Commerce and Magento Open Source versions.

Update on February the 18th 2022:
Adobe released the second patch (CVE-2022-24087) on February the 17th related to the same type of vulnerability.

CVE-2022-24086 and CVE-2022-24087 allow arbitrary remote code execution and received a staggering CVSS score of 9.8, making it a critical vulnerability.

Adobe has reported that this vulnerability is already being exploited:

Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks against Adobe Commerce merchants.

Adobe Security Bulletin (APSB22-12)

We advise all merchants to apply the patch immediately.

In order to fully fix the vulnerabilities, both patches must be applied. There are three variants of the patches so the appropriate one needs to be taken depending on the Magento / Adobe Commerce version you have. The variants are the following:

  • starting from 2.4.3 to 2.4.3-p1
  • starting from 2.3.4-p2 - 2.4.2-p2
  • starting from 2.3.3-p1 - 2.3.4

Fortunately, the patches are small and can be applied with little effort. As always, you should test all changes (including this one) on a test server first.

The next Magento release is scheduled for March 8th – until then the patches have to be applied manually.

Magento patches like this one can also be applied with Composer, which is crucial for any deployment automation process.