Customers using Adobe’s Commerce and Magento platforms for e-commerce stores could be at risk of a cyberattack, according to a security firm that tracks such instances. The concern is great enough that on Sunday, Adobe released an emergency patch for its Commerce and Magento Open Source platforms.
“These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution,” Adobe wrote in his Magento help center.
The affected products are Adobe Commerce and Magento Open Source 2.3.3-p1-2.3.7-p2 and 2.4.0-2.4.3-p1, the company said.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants,” Adobe said in a security bulletin issued on Sunday.
Cybersecurity firm Sansec on Monday said the vulnerability is “the worst possible type” and abuse has already been reported. The firm said Adobe has been aware of the issue since it first detected it on Jan. 27. It encouraged customers to download the security patch immediately.
Sansec said the security issue allows hackers to digitally skim credit or debit card information during the e-commerce checkout process in what is called a Magecart attack. In a Magecart attack, a hacker is able to gain access to an online store’s source code and alter coding to collect payment data.
“Once a store is under control of a perpetrator, a wiretap or keylogger is installed that funnels live payment data to a collection server. This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for $5 to $30 each,” Sansec explained.
Adobe has provided links to the proper patches to eliminate the vulnerability.
It is unclear how many e-commerce sites may be impacted.
Watch: How hackers attack the cold chain
Sansec had previously detected a malware issue with Adobe’s platforms in late January that affected some 350-plus e-commerce stores. That breach, which impacted Magento 1 platforms, reached more than 500 businesses by early February.
The current breach affects Adobe’s Magento 2 platforms, although Sansec advised anyone running Magento 1 technology, which Adobe is no longer supporting, to deploy extra security measures to avoid future issues.
As of publication time, Adobe had not responded to a request for comment on the security issue.
Click for more articles by Brian Straight.
You may also like:
Drones are flying into weather data deserts. Can they be stopped?
Navigating COVID-19 shipping chaos: Finding capacity and servicing the customer