The researchers at Sansec have warned of a surge in hacking attempts on Magento 2 sites. A critical Magento 2 vulnerability tracked as CVE-2022-24086 enables unauthenticated attackers to execute code on unpatched Magento sites.
Magento, a popular open-source eCommerce platform by Adobe, is used by thousands of e-stores worldwide. Sansec researchers have alerted the merchants of a hacking campaign exploiting the CVE-2022-24086 Magento 2 vulnerability.
In February 2022, Adobe released security updates to address this flaw affecting Adobe Commerce and Magento open-source products; at the time, the company confirmed it was actively exploited.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” Adobe advisory was published.
The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, and it is classified as a pre-authentication issue meaning it could be exploited without credentials.
The vulnerability affects the below versions of the Adobe products:
The Three Variants of Attack
Three attack variants are exploiting CVE-2022-24086 to inject a Remote Access Trojan (RAT) on vulnerable endpoints.
The first variant – initiates by creating a new customer account on the target platform through a malicious template code in the first and last names and placing an order later.
The injected code then decodes to command and downloads a Linux executable (“223sam.jpg”), launched in the background as a process. This RAT phones to a Bulgaria-based server to receive commands.
“This attack method defeats some of the security features of the Adobe Commerce Cloud platform, such as a read-only code base and restricted PHP execution under pub/media,” explains Sansec in the report.
“The RAT has full access to the database and the running PHP processes,… and can be injected on any of the nodes in a multi-server cluster environment.”
The second attack injects a PHP backdoor (“health_check.php”) through a template code in the VAT field of the placed order.
This code creates a new file (“pub/media/health_check.php”), accepting the commands via POST requests.
The third attack employs template code that executes to replace “generated/code/Magento/Framework/App/FrontController/Interceptor.php” with a malicious, backdoor version.
The Sansec team of researchers has urged Magento 2 site administrators to stick to the security guidelines on the Adobe Commerce and Magento open-source support page. As an Adobe Solutions partner, ioVista suggests you upgrade your Magento or Adobe Commerce to the latest version.
Albert Wood is an accomplished eCommerce Business Analyst. As a technology futurist and sales motivator at ioVista, Albert is dedicated to transforming struggling eCommerce businesses into thriving enterprises. With a keen focus on client’s business processes, user experience (UX), and leveraging the power of digital marketing, he helps businesses optimize their online presence and drive sustainable growth. Albert’s passion is for virtual reality (VR), augmented reality (AR), and mixed reality (MR), immersing himself in unforgettable experiences and exploring the limitless possibilities they offer. His enthusiasm for these emerging technologies fuels his drive to push the boundaries of innovation in eCommerce.
Albert Wood
30 Oct 2023Albert Wood
21 Sep 2023Albert Wood
05 Sep 2023Albert Wood
05 Jul 2023Albert Wood
09 May 2023Albert Wood
29 Mar 2023Albert Wood
17 Feb 2023Albert Wood
01 Feb 2023Albert Wood
12 Jan 2023Albert Wood
05 Jan 2023Albert Wood
20 Dec 2022Albert Wood
15 Dec 2022Albert Wood
09 Dec 2022Albert Wood
07 Dec 2022Albert Wood
24 Nov 2022Albert Wood
17 Nov 2022Albert Wood
17 Nov 2022Albert Wood
04 Nov 2022Albert Wood
27 Oct 2022Albert Wood
20 Oct 2022Albert Wood
07 Oct 2022Albert Wood
27 Sep 2022Albert Wood
15 Sep 2022Albert Wood
10 Sep 2022Albert Wood
30 Aug 2022Albert Wood
25 Aug 2022Albert Wood
23 Aug 2022Albert Wood
17 Aug 2022Albert Wood
10 Aug 2022Albert Wood
02 Aug 2022Albert Wood
25 Jul 2022Albert Wood
19 Jul 2022Albert Wood
01 Jul 2022Albert Wood
24 Jun 2022Albert Wood
14 Jun 2022Albert Wood
11 May 2022Albert Wood
03 May 2022Albert Wood
29 Apr 2022Albert Wood
27 Apr 2022Albert Wood
21 Apr 2022Albert Wood
13 Apr 2022Albert Wood
01 Apr 2022Albert Wood
29 Mar 2022Albert Wood
01 Mar 2022Albert Wood
24 Feb 2022Albert Wood
15 Feb 2022Albert Wood
11 Feb 2022Albert Wood
04 Feb 2022Albert Wood
27 Jan 2022Albert Wood
13 Jan 2022Albert Wood
10 Jan 2022Albert Wood
17 Dec 2021Albert Wood
13 Dec 2021Albert Wood
30 Nov 2021Albert Wood
26 Oct 2021Albert Wood
20 Oct 2021Albert Wood
05 Oct 2021Albert Wood
30 Sep 2021Albert Wood
21 Sep 2021Albert Wood
17 Sep 2021Albert Wood
08 Sep 2021Albert Wood
11 Aug 2021Albert Wood
05 Aug 2021Albert Wood
29 Jul 2021Albert Wood
15 Jul 2021Albert Wood
16 Jun 2021Albert Wood
03 Jun 2021Albert Wood
06 May 2021Albert Wood
04 May 2021Albert Wood
15 Apr 2021Albert Wood
17 Mar 2021Albert Wood
18 Feb 2021Albert Wood
15 Feb 2021Albert Wood
28 Jan 2021Albert Wood
21 Jan 2021Albert Wood
26 Nov 2020Albert Wood
11 Nov 2020Albert Wood
24 Sep 2020Albert Wood
08 Sep 2020Albert Wood
01 Sep 2020Albert Wood
18 Aug 2020Albert Wood
13 Aug 2020Albert Wood
01 Aug 2020Albert Wood
29 Jul 2020Albert Wood
21 Jul 2020Albert Wood
14 Jul 2020Albert Wood
09 Jul 2020Albert Wood
29 Jun 2020Albert Wood
11 Jun 2020Albert Wood
02 Jun 2020Albert Wood
21 May 2020Albert Wood
11 May 2020Albert Wood
24 Apr 2020Get in touch with us if you have a web development or digital marketing project that you would like to get underway!
TOP
ioVista
We firmly believe that the internet should be available and accessible to anyone, and are committed to providing a website that is accessible to the widest possible audience, regardless of circumstance and ability.
To fulfill this, we aim to adhere as strictly as possible to the World Wide Web Consortium’s (W3C) Web Content Accessibility Guidelines 2.1 (WCAG 2.1) at the AA level. These guidelines explain how to make web content accessible to people with a wide array of disabilities. Complying with those guidelines helps us ensure that the website is accessible to all people: blind people, people with motor impairments, visual impairment, cognitive disabilities, and more.
This website utilizes various technologies that are meant to make it as accessible as possible at all times. We utilize an accessibility interface that allows persons with specific disabilities to adjust the website’s UI (user interface) and design it to their personal needs.
Additionally, the website utilizes an AI-based application that runs in the background and optimizes its accessibility level constantly. This application remediates the website’s HTML, adapts Its functionality and behavior for screen-readers used by the blind users, and for keyboard functions used by individuals with motor impairments.
If you’ve found a malfunction or have ideas for improvement, we’ll be happy to hear from you. You can reach out to the website’s operators by using the following email
Our website implements the ARIA attributes (Accessible Rich Internet Applications) technique, alongside various different behavioral changes, to ensure blind users visiting with screen-readers are able to read, comprehend, and enjoy the website’s functions. As soon as a user with a screen-reader enters your site, they immediately receive a prompt to enter the Screen-Reader Profile so they can browse and operate your site effectively. Here’s how our website covers some of the most important screen-reader requirements, alongside console screenshots of code examples:
Screen-reader optimization: we run a background process that learns the website’s components from top to bottom, to ensure ongoing compliance even when updating the website. In this process, we provide screen-readers with meaningful data using the ARIA set of attributes. For example, we provide accurate form labels; descriptions for actionable icons (social media icons, search icons, cart icons, etc.); validation guidance for form inputs; element roles such as buttons, menus, modal dialogues (popups), and others. Additionally, the background process scans all of the website’s images and provides an accurate and meaningful image-object-recognition-based description as an ALT (alternate text) tag for images that are not described. It will also extract texts that are embedded within the image, using an OCR (optical character recognition) technology. To turn on screen-reader adjustments at any time, users need only to press the Alt+1 keyboard combination. Screen-reader users also get automatic announcements to turn the Screen-reader mode on as soon as they enter the website.
These adjustments are compatible with all popular screen readers, including JAWS and NVDA.
Keyboard navigation optimization: The background process also adjusts the website’s HTML, and adds various behaviors using JavaScript code to make the website operable by the keyboard. This includes the ability to navigate the website using the Tab and Shift+Tab keys, operate dropdowns with the arrow keys, close them with Esc, trigger buttons and links using the Enter key, navigate between radio and checkbox elements using the arrow keys, and fill them in with the Spacebar or Enter key.Additionally, keyboard users will find quick-navigation and content-skip menus, available at any time by clicking Alt+1, or as the first elements of the site while navigating with the keyboard. The background process also handles triggered popups by moving the keyboard focus towards them as soon as they appear, and not allow the focus drift outside of it.
Users can also use shortcuts such as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to jump to specific elements.
We aim to support the widest array of browsers and assistive technologies as possible, so our users can choose the best fitting tools for them, with as few limitations as possible. Therefore, we have worked very hard to be able to support all major systems that comprise over 95% of the user market share including Google Chrome, Mozilla Firefox, Apple Safari, Opera and Microsoft Edge, JAWS and NVDA (screen readers), both for Windows and for MAC users.
Despite our very best efforts to allow anybody to adjust the website to their needs, there may still be pages or sections that are not fully accessible, are in the process of becoming accessible, or are lacking an adequate technological solution to make them accessible. Still, we are continually improving our accessibility, adding, updating and improving its options and features, and developing and adopting new technologies. All this is meant to reach the optimal level of accessibility, following technological advancements. For any assistance, please reach out to
Get in Touch