Exploiting Critical Vulnerability in Magento 2 to Target E-commerce Websites
| Product and Affected Versions Adobe Commerce and Magento Open Source (Magento 2 software) Versions susceptible to the critical security flaw CVE-2022-24086 |
| Severity and CVE ID Severity: Critical (CVSS score: 9.8) CVE ID: CVE-2022-24086 |
| Vulnerability Allows attackers to achieve arbitrary code execution where Potential compromise of affected Magento 2 instances |
| How Attack Works Initial Access Exploitation of CVE-2022-24086 to gain initial access. Exploitation and Execution Exploit the foothold to execute malicious PHP code. Web Shell Deployment Deploy a web shell named “wso-ng” that appears as a Google Shopping Ads component. Activation and Data Exfiltration Web shell activated by sending the “magemojo000” cookie in HTTP requests. Exfiltration of sales order payment method information from the past 10 days. Rogue Admin User Creation Creation of a rogue admin user with the name “mageworx” or “mageplaza” to appear benign. Skimmer Infections Some sites observed to have JavaScript-based skimmers to collect credit card data. |
| Remediations – Apply Patches: Ensure the installation of the latest patches, especially for the patched vulnerability (CVE-2022-24086). – Update Security Measures: Enhance security measures, including web application firewalls and intrusion detection systems. – Regular Auditing: Conduct regular security audits to identify vulnerabilities and potential intrusions. – Strong Authentication: Implement strong authentication mechanisms to prevent unauthorized access. – Monitor for Anomalies: Continuously monitor network traffic and server activities for any suspicious behavior. |
| References Akamai’s analysis of the ongoing campaign (Xurum) targeting Magento 2 instances. Always refer to official security advisories and guidelines for the most accurate and up-to-date information |
