Magento Hosting Emergency? Learn About Our Magento Hosting Rescue Service! ❯

    We can help you. Right now.
    Fast growing merchants depend on JetRails for high-stakes hosting. Experience counts. Let's get started.
    Your message has been received, a representative will be contacting you shortly. if you have an emergency, please call us at 1 (888) 997-2457 or email us at [email protected]









    Call us at:1 (888) 997-2457

    Critical Magento 2 Security Vulnerability CVE-2022-24086 & CVE-2022-24087

    Magento 2 CVE-2022-24086 Adobe Commerce APSB22-12 Patch MDVA-43395_EE_2.4.3-p1_v1 for Magento Open Source

    ***URGENT UPDATES:

    On February 17th, 2022, Adobe released a notice stating that “We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087).” Even if you have already patched for CVE-2022-24086 with patch MDVA-43395_EE_2.4.3-p1_v1, you will need to go back and apply patch MDVA-43443_EE_2.4.3-p1 to resolve vulnerability CVE-2022-24087 ASAP. You can access more information at https://support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12-

    On February 18th, 2022, we came across reports of Patch MDVA-43443_EE_2.4.3-p1 breaking the “Template Styles” configuration because all curly braces are removed to sanitize input. 

    Original Post from February 14th, 2020:

    While many security patches are released for Magento 2, most of them are for vulnerabilities that would be difficult for hackers to take advantage of. For instance, they may require a user to first gain access to your Magento admin in order to exploit them. When it comes to CVE-2022-24086, a critical security vulnerability that Adobe released a patch for on Sunday, February 13th, 2022, that’s not the case. 

    CVE-2022-24086 allows unauthenticated remote code execution (RCE), which is already being abused in the wild. In other words, hackers are scanning the web for vulnerable Magento sites, and they won’t have much trouble penetrating the defenses of a site that hasn’t installed this new patch. This particular exploit will give these criminals control of your Magento website.

    This type of severe security hole is a rare find. Our friends at Sansec compared the severity of this arbitrary code execution issue to the Magento Shoplift vulnerability from 2015, which saw thousands of sites hacked within days. With that in mind, this is the kind of security issue that we hope to only see once a decade, but, it’s here. That means it’s time to patch your site ASAP. This is not the type of patch that you can wait on. It is extremely important to apply it as close to immediately as possible.

    Speaking of Sansec, they have an excellent write-up on this security issue and how to patch it here

    Other helpful resources:

    Unfortunately, due to the dynamic nature of this vulnerability, it’s not something that can be comprehensively stopped with a Web Application Firewall (WAF) or other external tools. You should proceed to patch your website immediately. 

    This comes on the heels of an attack dubbed NaturalFreshMall, which impacted hundreds of Magento 1 websites with a payment skimmer that was loaded from “naturalfreshmall.com”, hence the name. 

    It also hits at a time when many in the Magento community are still patching servers for Log4j issues, although users of Managed Services like JetRails have been patched for Log4j vulnerabilities for a long time now. If you’re not already leveraging a fully-managed Magento hosting service like JetRails, which includes managed firewalling and security hardening,  intrusion detection, malware scanning, and upkeep of your server software, you should be. Keeping up with these sorts of security challenges is a full-time job. It’s why your Magento website deserves a team like JetRails that provides round-the-clock monitoring, maintenance, and management of your Magento hosting environment.

    About The Author
    Robert Rand
    Director of Partnerships & Alliances

    Robert is a Magento 1 and 2 Solution Specialist with over a decade of experience in helping merchants benefit from sound ecommerce and digital marketing strategies. He’s highly experienced at harnessing the power of ecommerce technologies and solutions to help businesses of all types and sizes grow and succeed.

    Get A Free Consultation From The JetRails Team

    Need Help With Hosting Support, Security, Scalability, Speed, or Stability?

      More Articles
      Campaigns That Keep Your eCommerce Shoppers Coming Back For More
      View Article
      Magento 2.4.4 General Release and Security Patches for 2.3.7 and 2.4.3
      View Article
      Commonly Overlooked WordPress Maintenance Best Practices
      View Article