Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

Magento Vulnerability Exploited to Deploy Persistent Backdoor

Attackers are exploiting a recent Magento vulnerability to deploy a persistent backdoor on ecommerce websites.

Threat actors are exploiting a critical vulnerability in Magento to inject a persistent backdoor into ecommerce websites, cybersecurity firm Sansec reports.

The issue, tracked as CVE-2024-20720 (CVSS score of 9.1), is described as an OS command injection flaw leading to arbitrary code execution without user interaction.

Adobe resolved the critical vulnerability in February 2024 in both Adobe Commerce and Magento, as part of its Tuesday Patch updates. However, it appears that there are websites that have yet to be updated and remain vulnerable to exploitation.

According to Sansec, threat actors have discovered a clever way to exploit CVE-2024-20720, using a crafted layout template in the database to inject XML code that can reinfect Magento servers even after a manual fix.

“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands. Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested,” Sansec explains.

As part of the observed attacks, the backdoor is added to the automatically generated content management system (CMS) controller, ensuring the backdoor is periodically reinjected and providing persistent remote code execution via POST commands.

The threat actors have employed the mechanism to inject a fake Stripe payment skimmer and steal payment data from the compromised web stores.

Users are advised to update to Magento versions 2.4.6-p4, 2.4.5-p6 or 2.4.4-p7 as soon as possible, and to scan their websites for any signs of a malware infection.

Advertisement. Scroll to continue reading.

Related: Patch Tuesday: Adobe Warns of Critical Flaws in Widely Deployed Software

Related: CISA Warns of Attacks Exploiting Adobe Acrobat Vulnerability

Related: Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights