Second Critical Patch CVE-2022-24087 Released

Adobe has released a critical security patch addressing CVE-2022-24087. This update requires merchants to apply two essential patches: MDVA-43395 and MDVA-43443. This is not a routine maintenance release — the vulnerability addresses a significant security gap that could expose merchant data and customer information if left unpatched.

Understanding the Vulnerability

CVE-2022-24087 affects core Adobe Commerce functionality and has been classified as critical by Adobe's security team. The vulnerability creates a pathway for unauthorised access to sensitive systems and data, making swift remediation essential. This is not a vulnerability that should be deferred or scheduled into the next quarterly maintenance window.

The threat is real and immediate. Security researchers are actively aware of this flaw, and threat actors have already begun probing production environments. Every day the patch remains uninstalled increases risk exponentially.

What Merchants Need to Do

Immediate action is required across all Adobe Commerce environments:

• Apply MDVA-43395: This patch addresses the core vulnerability vector. It must be deployed to all production, staging and development environments.
• Apply MDVA-43443: This secondary patch closes a related vulnerability that can be exploited in conjunction with CVE-2022-24087. Both patches must be installed to achieve complete protection.
• Test thoroughly: After patching, conduct comprehensive smoke testing of critical paths: checkout, customer account operations, order management, and payment processing.
• Monitor systems: Watch for any unusual activity in logs and access patterns immediately following patch deployment.

Implementation Best Practices

When deploying these critical patches, follow a structured approach:

Development first: Apply patches to your development environment and run your complete test suite. Ensure custom extensions and integrations remain compatible.

Staging validation: Mirror your production environment as closely as possible in staging. Simulate real customer workflows, load testing and edge cases.

Production deployment: Schedule deployment during low-traffic periods. Have rollback procedures ready, though in this case, rolling forward to the patched version is the only secure option.

Post-deployment: Monitor error logs, performance metrics and transaction throughput closely. Document any unexpected behaviour and report it to Adobe's support team.

The Broader Security Landscape

This patch reinforces a critical lesson: security is not a project, it's an ongoing programme. Adobe Commerce merchants must establish repeatable processes for security patching that treat critical updates as business continuity issues, not IT overhead.

We advise our partners to maintain a documented patch calendar with clearly defined maintenance windows, automate smoke test execution to validate patches quickly, keep extension vendors accountable for timely compatibility statements, and monitor Adobe's security announcements closely and escalate critical patches to business stakeholders immediately.

Why This Matters for Your Business

A successful breach does not just mean compromised data — it means loss of customer trust, regulatory penalties, operational disruption and brand damage that can take years to recover from. The cost of applying a patch today is negligible compared to the cost of a breach tomorrow.

If your team lacks the capacity or expertise to deploy critical patches swiftly, now is the time to bring in specialised support. This is not an area where cost-cutting serves your business well.

Next Steps

Don't wait. Contact Adobe support immediately if you have not yet applied MDVA-43395 and MDVA-43443. If you operate multiple Adobe Commerce instances, create a deployment schedule and work through them methodically. And if you need expert guidance navigating the patching process or ensuring your extensions remain compatible, our team at Tom&Co can help you move quickly and safely.

Security patches are not luxuries — they are necessities. Treat them accordingly.