Watch Now

Security alert issued for e-commerce platforms

Emergency patch available for users of Commerce, Magento platforms after vulnerability exposed

Security firm Sansec is urging e-commerce users of Adobe platforms to download an emergency patch following reports of hackers gaining access to customer payment information. (Photo: Andrea Piacquadio/Pexels)

Customers using Adobe’s Commerce and Magento platforms for e-commerce stores could be at risk of a cyberattack, according to a security firm that tracks such instances. The concern is great enough that on Sunday, Adobe released an emergency patch for its Commerce and Magento Open Source platforms.

“These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution,” Adobe wrote in his Magento help center.

The affected products are Adobe Commerce and Magento Open Source 2.3.3-p1-2.3.7-p2 and 2.4.0-2.4.3-p1, the company said.

“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants,” Adobe said in a security bulletin issued on Sunday.

Cybersecurity firm Sansec on Monday said the vulnerability is “the worst possible type” and abuse has already been reported. The firm said Adobe has been aware of the issue since it first detected it on Jan. 27. It encouraged customers to download the security patch immediately.

Sansec said the security issue allows hackers to digitally skim credit or debit card information during the e-commerce checkout process in what is called a Magecart attack. In a Magecart attack, a hacker is able to gain access to an online store’s source code and alter coding to collect payment data.

“Once a store is under control of a perpetrator, a wiretap or keylogger is installed that funnels live payment data to a collection server. This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for $5 to $30 each,” Sansec explained.

Adobe has provided links to the proper patches to eliminate the vulnerability.

It is unclear how many e-commerce sites may be impacted.

Watch: How hackers attack the cold chain

Sansec had previously detected a malware issue with Adobe’s platforms in late January that affected some 350-plus e-commerce stores. That breach, which impacted Magento 1 platforms, reached more than 500 businesses by early February.

The current breach affects Adobe’s Magento 2 platforms, although Sansec advised anyone running Magento 1 technology, which Adobe is no longer supporting, to deploy extra security measures to avoid future issues.

As of publication time, Adobe had not responded to a request for comment on the security issue.

Click for more articles by Brian Straight.

You may also like:

Drones are flying into weather data deserts. Can they be stopped?

Navigating COVID-19 shipping chaos: Finding capacity and servicing the customer

Need a warehouse? You may have to wait 9 months

Brian Straight

Brian Straight leads FreightWaves' Modern Shipper brand as Managing Editor. A journalism graduate of the University of Rhode Island, he has covered everything from a presidential election, to professional sports and Little League baseball, and for more than 10 years has covered trucking and logistics. Before joining FreightWaves, he was previously responsible for the editorial quality and production of Fleet Owner magazine and Brian lives in Connecticut with his wife and two kids and spends his time coaching his son’s baseball team, golfing with his daughter, and pursuing his never-ending quest to become a professional bowler. You can reach him at [email protected]