Active Exploitation of Critical Magento Vulnerability: What E-commerce Businesses Need to Know
Executive Summary: A critical vulnerability in Adobe Commerce (Magento) is being actively exploited in the wild. Tracked as CVE-2024-34108, this flaw allows unauthenticated attackers to achieve remote code execution (RCE), granting them full control over affected e-commerce stores. Organizations using Adobe Commerce or the open-source Magento Open Source must apply the latest security patches immediately to prevent catastrophic data breaches, skimming attacks, and operational disruption.
The Threat at a Glance
| Aspect | Details |
|---|---|
| Vulnerability | CVE-2024-34108 |
| Severity | Critical (CVSS score not yet finalized, but RCE is typically 9.0+) |
| Platform | Adobe Commerce & Magento Open Source |
| Impact | Unauthenticated Remote Code Execution (RCE) |
| Status | Actively Exploited |
| Affected Versions | Multiple versions prior to the latest patch (see table below) |
| Primary Risk | Complete site compromise, data theft, payment skimming |
Understanding the Vulnerability: Beyond the Headlines
Discovered by researchers from SonarSource, CVE-2024-34108 is a combination of two security weaknesses—an SQL injection and a path traversal flaw—that, when chained together, allow an attacker to execute arbitrary code on the server.
In simple terms, the attack works as follows:
- SQL Injection: An attacker sends a specially crafted request that tricks the application into executing unauthorized SQL commands. This can be used to write a malicious payload directly into the server’s file system.
- Path Traversal: The attacker then exploits a separate flaw to access directories and files outside of the web application’s intended scope, effectively locating and triggering the malicious payload they planted.
This chain results in full Remote Code Execution, giving the attacker the same level of control as a system administrator.
Expert Insight: *”This is a classic case of a ‘patch bypass’ vulnerability. Adobe previously patched a similar issue (CVE-2022-24086), but the underlying code was not fully remediated. Attackers have now found a new way to achieve the same dangerous outcome. For security teams, this underscores a critical lesson: applying a patch does not always eliminate the root cause of a vulnerability. Continuous security testing and defense-in-depth are non-negotiable.”*
— Sergei Matusevich Senior Threat Intelligence Analyst, SecurityLab.Pro
Are You at Risk? Affected Versions and Patches
Adobe has released security updates that address this vulnerability. If you are running an older version, your store is actively vulnerable.
| Platform | Affected Versions | Patched Versions |
|---|---|---|
| Adobe Commerce | 2.4.7-p1 and earlier, 2.4.6-p6 and earlier, 2.4.5-p8 and earlier, 2.4.4-p9 and earlier | 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 |
| Magento Open Source | Same as above | Same as above |
Immediate Actions and Strategic Recommendations
Time is of the essence. Follow this action plan to secure your environment.
Phase 1: Immediate Triage (Next 24 Hours)
- Patch Immediately: This is the single most important action. Apply the relevant security patch provided by Adobe to all your Magento/Adobe Commerce instances, including development and staging environments.
- Scan for Compromise: Do not assume you are safe. Use security scanning tools (e.g., Sansec, MageReport, or your EDR/NDR) to check for known indicators of compromise (IoCs), such as unfamiliar admin users, suspicious files in the
pub/mediadirectory, or anomalous network connections. - Audit User Accounts: Review all admin user accounts for any unauthorized creations or privilege escalations.
Phase 2: Strengthen Your Defenses (Next 7 Days)
- Implement a Web Application Firewall (WAF): A properly configured WAF can help block exploit attempts by detecting and filtering malicious SQL injection and path traversal patterns. Ensure its rules are up-to-date.
- Enforce the Principle of Least Privilege: Ensure the Magento application and database users have only the minimum permissions required to function. This can limit the damage of a successful SQL injection attack.
- Review and Harden File Permissions: Restrict write permissions on the server’s file system to only the directories absolutely necessary for Magento to operate.
Phase 3: Long-Term Security Posture
- Subscribe to Security Advisories: Ensure your team is subscribed to official Adobe Security Bulletins to receive immediate notification of future vulnerabilities.
- Adopt a Proactive Patching Schedule: Do not delay security updates. Establish a process to test and deploy patches within a critical timeframe (e.g., 72 hours for critical vulnerabilities).
- Invest in Regular Security Assessments: Conduct periodic penetration testing and code reviews to identify and remediate vulnerabilities before they can be exploited by attackers.
Conclusion: Vigilance is Key
The active exploitation of CVE-2024-34108 is a stark reminder that e-commerce platforms are high-value targets for cybercriminals. A successful attack can lead to massive financial loss, reputational damage, and regulatory penalties.
By taking immediate action to patch, followed by implementing a layered security strategy, businesses can protect their digital storefronts and maintain customer trust. In the current threat landscape, proactive defense is not just best practice—it’s a business imperative.
CVE-2024-34108 is an Improper Input Validation vulnerability affecting Adobe Commerce (and Magento) with a severity rating of 7.2 HIGH CVE DetailsAqua Security.
Key details:
- Affected versions: Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier CVE Details
- Impact: Could result in arbitrary code execution in the context of the current user, and exploitation does not require user interaction CVE Details
- Disclosure: Part of Adobe Security Bulletin APSB24-40 released in June 2024 Adobe
This vulnerability was disclosed alongside several other Adobe Commerce vulnerabilities. If you’re running Adobe Commerce or Magento, you should apply the security updates provided in the APSB24-40 bulletin to address this and other related vulnerabilities.
Need help? Our security team is equipped to assist with vulnerability assessment, patch management, and incident response. Contact us to ensure your e-commerce operations are secure.