Critical Security Vulnerability CVE-2022-24086 Discovered

Adobe has released an urgent security advisory addressing a critical pre-authentication remote code execution vulnerability (CVE-2022-24086) in Adobe Commerce and Magento Open Source. With a CVSS score of 9.8, this vulnerability is being actively exploited in the wild and poses an immediate threat to all unpatched installations.

Vulnerability Details

CVE ID: CVE-2022-24086
CVSS Score: 9.8 (Critical)
Affected Versions: All supported versions of Adobe Commerce and Magento Open Source
Type: Pre-authentication Remote Code Execution
Exploitation Status: Actively being exploited in the wild

The vulnerability allows unauthenticated attackers to execute arbitrary code on affected installations through a specific input vector. Because authentication is not required, this vulnerability is particularly dangerous and can be exploited by attackers with only network access to the affected system.

Severity Assessment

A CVSS score of 9.8 indicates this is among the most critical vulnerabilities possible. Pre-authentication RCE vulnerabilities are considered high-priority targets by malicious actors, and evidence of active exploitation means attackers have already developed and are deploying working exploits.

For merchants, this vulnerability represents an immediate business risk. A compromised Adobe Commerce installation could result in:

• Complete system compromise and data breach
• Loss of customer data and payment information
• Malware installation and persistent access
• Defacement and operational disruption
• Financial and reputational damage

Immediate Action Required

Adobe has released security patches for all affected versions. Merchants must apply these patches immediately, treating this as a critical incident rather than a routine maintenance task.

For Adobe Commerce Cloud customers: Patches are being applied automatically by Adobe. Verify your environment status in the Adobe Commerce Cloud console and confirm patches are current.

For self-hosted Adobe Commerce and Magento Open Source: Download and apply security patches immediately. If your infrastructure is not in a state that allows immediate patching, consider taking the affected system offline until patches can be applied.

Patching Process

The patching process involves applying security-specific updates that address this vulnerability without requiring full version upgrades. Adobe has streamlined the patch release to minimise compatibility risks and downtime.

For merchants using custom code or extensions, verify compatibility with the patch before deploying to production. Most well-maintained third-party extensions should be compatible, but testing is essential given the criticality.

Post-Patch Security Review

After applying patches, merchants should conduct security reviews to identify any evidence of exploitation:

• Review web server access logs for suspicious requests
• Check system logs for evidence of unauthorised access
• Scan for malware and unauthorised accounts
• Verify file integrity of critical system files
• Review recent administrative activity

If you suspect your system has been compromised, engage security professionals immediately for forensic investigation and remediation.

Prevention and Long-term Security

This incident underscores the importance of:

• Timely patching: Establish processes for rapid security patch deployment
• Monitoring: Implement log monitoring and intrusion detection to identify exploitation attempts
• WAF rules: Deploy web application firewall rules to block exploitation attempts
• Security reviews: Conduct regular security assessments and penetration testing
• Incident response: Develop and test incident response procedures before they're needed

Support Resources

Adobe has published comprehensive documentation and is providing support through all channels. Merchants with questions or concerns should contact their support providers immediately.

This critical vulnerability is a reminder that e-commerce platforms require constant vigilance. Swift action now will protect your business, your customers and your reputation.