Connect with us

Hi, what are you looking for?


Malware & Threats

Patch for Actively Exploited Flaw in Adobe Commerce and Magento Bypassed

Adobe has announced new patches for the Commerce and Magento e-commerce platforms after researchers discovered that a fix for an actively exploited zero-day can be bypassed.

Adobe has announced new patches for the Commerce and Magento e-commerce platforms after researchers discovered that a fix for an actively exploited zero-day can be bypassed.

Adobe informed Commerce and Magento users on Sunday that it had become aware of a critical vulnerability that allows remote code execution without authentication.

The software giant said the flaw, tracked as CVE-2022-24086, has been “​​exploited in the wild in very limited attacks targeting Adobe Commerce merchants.”

The company updated its initial advisory on Thursday to inform Commerce and Magento users that they need to apply two patches — one on top of the other — in order to protect their online stores against attacks. The patches are MDVA-43395 and MDVA-43443.

Researchers discovered that the patch for CVE-2022-24086 can be bypassed, which led Adobe to assign a new CVE identifier, namely CVE-2022-24087. Adobe says it’s not aware of any attacks exploiting this second weakness.

Researchers who use the online monikers Eboda and Blaklis have been credited by Adobe for reporting CVE-2022-24087, but the patch bypass was also independently discovered by cybersecurity firm Positive Technologies, which also claims to have reproduced the initial exploit.

Adobe told SecurityWeek that exploitation of CVE-2022-24086 was discovered by its internal security team, but it could not share additional information regarding the attacks.

Advertisement. Scroll to continue reading.

It’s not uncommon for threat actors to target Magento-powered stores. One recent attack involved more than 500 online stores powered by Magento 1, targeted by cybercriminals to plant web skimmers designed to harvest user data. The attackers exploited a combination of flaws and leveraged the fact that Magento 1 no longer receives security updates.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has instructed federal agencies to patch the Commerce/Magento vulnerability by March 1.

Related: Adobe Patches Reader Flaws That Earned Hackers $150,000 at Chinese Contest

Related: Adobe Patches Gaping Security Flaws in 14 Software Products

Related: Adobe Joins Security Patch Tuesday Frenzy

Related: Adobe Patches Critical RoboHelp Server Security Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.