Critical Vulnerability Exposes Adobe Commerce and Magento Stores to Exploits
Recent cybersecurity research indicates that a significant 5% of all Adobe Commerce and Magento stores have been compromised due to a serious security vulnerability named CosmicSting. This development underscores the escalating risk that online retailers are facing in the digital landscape.
The vulnerability, tracked as CVE-2024-34102, has received a high CVSS score of 9.8, which categorizes it as a critical flaw. It is associated with improper handling of XML external entity (XXE) references and can lead to remote code execution. This issue was identified by researcher "spacewasp" and subsequently patched by Adobe in June 2024. However, the window of vulnerability appears to have been exploited extensively by malicious actors.
The Dutch security firm Sansec has characterized CosmicSting as "the worst bug to hit Magento and Adobe Commerce stores in two years." Reports indicate that e-commerce sites are experiencing breaches at an alarming rate of three to five per hour. The situation escalated further in mid-July 2024, when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, reflecting the widespread exploitation of the flaw.
Attackers are employing the vulnerability to steal Magento’s secret encryption keys, which are vital for generating JSON Web Tokens (JWTs) that facilitate full API administrative access. Subsequently, these threat actors leverage the Magento REST API to insert harmful scripts. The exploitation of CVE-2024-34102 not only compromises individual sites but could potentially allow attackers to take over entire web environments.
Significantly, the aftermath of this vulnerability necessitates measures beyond simply applying the latest fixes. Site owners must also consider rotating their encryption keys to thwart further exploitation. Failure to do so could result in attackers maintaining covert access through backdoors while executing arbitrary scripts to siphon sensitive user payment data.
Compounding the challenge, recent attacks observed in August linked CosmicSting to another vulnerability in the iconv library known as CNEXT (CVE-2024-2961), enabling a pathway to remote code execution. The combination of these two vulnerabilities enhances the attackers’ ability to escalate their privileges and establish lasting control over compromised systems.
Recent analyses have identified a range of companies, including industry giants such as Ray Ban, National Geographic, and Cisco, among the victims of CosmicSting-related attacks. A minimum of seven distinct groups have been implicated in exploiting this vulnerability, including those that employ various methods, such as encoding techniques and the use of dynamic skimmer scripts to collect sensitive user information surreptitiously.
Business owners are urged to take immediate action to secure their platforms by updating to the latest versions of Magento or Adobe Commerce, rotating secret encryption keys, and invalidating old keys to counteract the risks arising from these vulnerabilities. The situation serves as a stark reminder of the persistent threats facing e-commerce environments, emphasizing the need for vigilance and proactive measures against evolving cyber threats.
In summary, the ongoing threat posed by CosmicSting not only highlights the critical importance of timely security updates but also necessitates a comprehensive strategy for managing encryption and access to sensitive data. By understanding the tactics outlined in the MITRE ATT&CK framework, business owners can better prepare their defenses against such sophisticated attacks.