Threat actors are exploiting a critical vulnerability in Magento to inject a persistent backdoor into ecommerce websites, cybersecurity firm Sansec reports.
The issue, tracked as CVE-2024-20720 (CVSS score of 9.1), is described as an OS command injection flaw leading to arbitrary code execution without user interaction.
Adobe resolved the critical vulnerability in February 2024 in both Adobe Commerce and Magento, as part of its Tuesday Patch updates. However, it appears that there are websites that have yet to be updated and remain vulnerable to exploitation.
According to Sansec, threat actors have discovered a clever way to exploit CVE-2024-20720, using a crafted layout template in the database to inject XML code that can reinfect Magento servers even after a manual fix.
“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands. Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested,” Sansec explains.
As part of the observed attacks, the backdoor is added to the automatically generated content management system (CMS) controller, ensuring the backdoor is periodically reinjected and providing persistent remote code execution via POST commands.
The threat actors have employed the mechanism to inject a fake Stripe payment skimmer and steal payment data from the compromised web stores.
Users are advised to update to Magento versions 2.4.6-p4, 2.4.5-p6 or 2.4.4-p7 as soon as possible, and to scan their websites for any signs of a malware infection.
Related: Patch Tuesday: Adobe Warns of Critical Flaws in Widely Deployed Software
Related: CISA Warns of Attacks Exploiting Adobe Acrobat Vulnerability
Related: Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability