Categories: InfoSec News Vulnerabilities

Adobe Issues an Emergency Patch to Address an Exploited Commerce Zero-Day Vulnerability

Published by

Yesterday, Adobe issued an emergency advisory to notify users of Adobe Commerce and Magento about a critical zero-day vulnerability that has been exploited in attacks.

As per the tech giant’s threat data, the security issue is being used “in very limited attacks targeting Adobe Commerce merchants.”

To address the critical security flaw affecting its products, the American multinational computer software company has developed patches, which are delivered as MDVA-43395 EE 2.4.3-p1 v1.

The vulnerability has been identified as CVE-2022-24086, with a CVSS score of 9.8. It is characterized as an improper input validation issue that can result in arbitrary code execution. According to Adobe, the flaw can be abused without requiring authentication.

However, the California-based firm also stated that the flaw can only be exploited by hackers with administrative privileges.

Affected Products and Versions

The security vulnerability impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. Adobe Commerce versions prior to 2.3.3 are not affected.

Patches from Adobe can be downloaded and manually installed here.

Adobe has not given any other details about the attacks, and no one has been credited with disclosing the weakness.

According to SecurityWeek, the company declared that it is unable to discuss any additional information about the vulnerability in order to protect its customers’ privacy and security.

The company said that its internal security team was the one to find the vulnerability:

Our internal Adobe security team employs technologies that regularly monitor and help us identify and respond when issues occur.


The findings come after Sansec, an e-commerce malware and vulnerability detection firm, revealed last week that a Magecart attack impacted 500 sites powered by Magento 1 with a credit card skimmer intended to collect sensitive payment details.

The cybercriminals took advantage of a combination of vulnerabilities, as well as the fact that Magento 1 is no longer receiving security fixes.

This month, Adobe released patches for products including Premiere Rush, Illustrator, and Creative Cloud. Among other issues, the patch round addressed security flaws that could result in arbitrary code execution, Denial-of-Service (DoS), and privilege escalation.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Social Comments Box
Share the word, let's increase Cybersecurity Awareness as we know it

This post was last modified on 14 February 2022 1:11 PM


Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

Leave a Comment
Published by
Tags: 0day adobe Commerce CVE-2022-24086 cybersecurity datasecurity Emergency Exploited infosecurity patch Vulnerability zero-day

Recent Posts

  • InfoSec News
  • Trending

5 British businesses were penalised for making 500,000 unwanted calls

Five businesses have been fined a total of £435,000 (about $529,000) by Britain's data watchdog…

1 day ago
  • Data Security
  • InfoSec News
  • Trending

End 2 End Encryption (E2EE) Is Finally here, kind of, for Apple Device Backups

According to a new optional feature called Advanced Data Protection, end-to-end encryption will soon be…

1 day ago
  • InfoSec News
  • Trending
  • Vulnerabilities

Google releases a fresh version of Chrome to fix yet another zero-day flaw

Google, a leading search engine, fixed a newly discovered and actively exploited zero-day vulnerability in…

6 days ago
  • Data Security
  • InfoSec News

Android puzzle game with over one million downloads reveals user information

Fruits Mania, a well-known and trustworthy puzzle game, is one of the thousands of apps…

7 days ago
  • InfoSec News
  • Trending

TrustCor dropped as Root CA for Mozilla and Microsoft

Microsoft and Mozilla have taken action against a certificate authority that is purportedly linked to…

1 week ago
  • InfoSec News
  • Vulnerabilities

Nvidia patches 29 GPU driver bugs that could lead to code execution, device takeover

Nvidia fixed more than two dozen security flaws in its GPU display driver, the most…

1 week ago