Adobe has announced a critical security vulnerability affecting Adobe Commerce and Magento Open Source. Adobe Commerce merchants have been attacked and exploited the vulnerability in the wild right now.
An important detail of the vulnerability shared by Adobe is that no authentication is necessary for a successful exploit to be executed.
This means that an attacker does not need to obtain the user’s login privilege to exploit the vulnerability.
The second detail about this exploit shared by Adobe is that administrator privileges are not necessary to exploit this vulnerability.
Adobe Vulnerability Assessments
Adobe has published three rating scales for vulnerabilities:
- level of vulnerability
The Common Vulnerability Scoring System (CVSS) is an open standard developed by a non-profit organization (CVSS).First.org) which is based on a scale of 1 to 10 to score vulnerabilities.
Score 1 is the least worrisome and score 10 is the highest level of severity of vulnerability.
The CVSS score for the Adobe Commerce and Magento vulnerability is 9.8.
The priority level of the vulnerability
The priority scale has three levels, 1, 2 and 3. Level 1 is the most serious and level 3 is the least serious.
Adobe has listed the priority level for this exploit as 1, which is the highest level.
A level 1 priority level means that vulnerabilities are actively exploited in websites.
This is the worst-case scenario for merchants because it means that unpatched versions of Adobe Commerce and Magento are vulnerable to hacking.
Adobe’s definition of priority level 1 is:
This update resolves vulnerabilities that are targeted, or have a higher risk of targeting, through exploit(s) in the wild for a specific product and platform version.
Adobe recommends that administrators install the update as soon as possible. (eg, within 72 hours). “
level of vulnerability
Adobe vulnerability levels are named Medium, Critical, and Critical, with Critical being the most severe level.
The vulnerability level intended for the Adobe Commerce and Magento Open Source exploit is rated Critical, which is the most severe rating level.
Adobe definition The critical classification level is:
“A security vulnerability that, if exploited, would allow malicious native code to be executed, possibly without the user’s knowledge.”
Exploitation of arbitrary law enforcement
What makes this vulnerability particularly troubling is the fact that Adobe has admitted that it is an arbitrary code execution vulnerability.
Arbitrary code execution generally means that the type of code an attacker can run is not limited in scope but is wide open to whatever code they want in order to perform almost any task or command they wish.
A random code execution vulnerability is a very dangerous type of attack.
Which versions are affected
Adobe has announced the deployment of an update patch to fix affected versions of its software.
the Update release notes advertiser:
Patches tested to resolve the issue for all versions 2.3.3-p1 to 2.3.7-p2 and 2.4.0 to 2.4.3-p1.
The main vulnerability announcement stated that Adobe Commerce versions 2.3.3 and lower were not affected.
Adobe recommends that users of affected software update their installations immediately.