Magento 2 Vulnerability: Surge in Hacking on Unpatched Stores

27 Sep 2022
Albert Wood
Albert Wood
Magento 2 Vulnerability: Surge in Hacking on Unpatched Stores

Cybercriminals and Hacking Groups are Back at it.


The researchers at Sansec have warned of a surge in hacking attempts on Magento 2 sites. A critical Magento 2 vulnerability tracked as CVE-2022-24086 enables unauthenticated attackers to execute code on unpatched Magento sites.

Magento, a popular open-source eCommerce platform by Adobe, is used by thousands of e-stores worldwide. Sansec researchers have alerted the merchants of a hacking campaign exploiting the CVE-2022-24086 Magento 2 vulnerability.

In February 2022, Adobe released security updates to address this flaw affecting Adobe Commerce and Magento open-source products; at the time, the company confirmed it was actively exploited. 

“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” Adobe advisory was published.

The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, and it is classified as a pre-authentication issue meaning it could be exploited without credentials. 

The vulnerability affects the below versions of the Adobe products:

The Three Variants of Attack

Three attack variants are exploiting CVE-2022-24086 to inject a Remote Access Trojan (RAT) on vulnerable endpoints.

The first variant – initiates by creating a new customer account on the target platform through a malicious template code in the first and last names and placing an order later.

The injected code then decodes to command and downloads a Linux executable (“223sam.jpg”), launched in the background as a process. This RAT phones to a Bulgaria-based server to receive commands.

“This attack method defeats some of the security features of the Adobe Commerce Cloud platform, such as a read-only code base and restricted PHP execution under pub/media,” explains Sansec in the report.

“The RAT has full access to the database and the running PHP processes,… and can be injected on any of the nodes in a multi-server cluster environment.”

The second attack injects a PHP backdoor (“health_check.php”) through a template code in the VAT field of the placed order.

This code creates a new file (“pub/media/health_check.php”), accepting the commands via POST requests.

The third attack employs template code that executes to replace “generated/code/Magento/Framework/App/FrontController/Interceptor.php” with a malicious, backdoor version.

The Sansec team of researchers has urged Magento 2 site administrators to stick to the security guidelines on the Adobe Commerce and Magento open-source support page. As an Adobe Solutions partner, ioVista suggests you upgrade your Magento or Adobe Commerce to the latest version.

Albert Wood
Albert Wood linkedin

Albert Wood is a technology futurist, sales stimuli, motivator, and E-commerce specialist at ioVista. As a data-driven and digital marketing evangelist, Albert’s passion is transforming struggling e-commerce businesses into sales-generating powerhouses through the right combination of UX and digital marketing strategies.

Get in Touch

    Start Your Free Website & Platform Assessment.

    Get in touch with us if you have a web development or digital marketing project that you would like to get underway!

    Platform Assessment