Proof-of-concept Magento exploit used in attacks

Threat actors weaponized a proof-of-concept exploit for a critical vulnerability in Magento after the e-commerce platform patched dozens of flaws last week.

The security team for Magento, which is part of the Adobe Commerce Cloud, released 37 patches on March 26, the most important of which prevents SQL injection attacks based on the proof-of-concept (POC) Magento exploit.

The SQL injection vulnerability affected Magento versions 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8 and Magento 2.3 prior to 2.3.1, and it could allow remote code execution (RCE).

Marc-Alexandre Montpas, a researcher with web security firm Sucuri, based in Menifee, Calif., said the SQL vulnerability was "very easy to exploit" and urged users to install the Magento patches.

"One of the bugs listed includes an SQL Injection vulnerability which can be exploited without any form of privilege or authentication," Montpas wrote in a blog post. "Due to the risk this vulnerability represents, and the fact we are not seeing attacks in the wild yet, we will refrain from publishing any technical details for the time being. Our team reversed the official patch and successfully created a working proof of concept exploit for internal testing and monitoring."

Ambionics Security, a threat assessment firm based in Paris, disclosed the flaw to Magento in November via Bugcrowd. The company warned users on March 25 via Twitter to install the forthcoming patches. On March 27, it tweeted it was going to delay disclosing the technical details of a Magento exploit "to a yet unknown time," because the RCE vector Ambionics disclosed hadn't been patched.

However, on March 29 -- three days after the patches were released -- Ambionics not only posted technical details of the vulnerability, but also posted a proof-of-concept SQL injection Magento exploit.

Also on March 29, Peter Jaap Blaakmeer, CTO of Elgentos Ecommerce, which specializes in building Magento web stores, tweeted that his company had "already seen attempts at two of our shops using the published POC."

Blaakmeer confirmed via Twitter direct message that he saw more attempts -- "about a dozen over the weekend, spread over several but not all of our shops." He added that the payload used in the attack attempts matched the POC Magento exploit code released by Ambionics.

Ambionics did not respond to requests for comment at the time of this post.

When questioned about attacks in the wild, a Magento spokesperson said, "As the majority of exploits tend to target software installations that are not up to date with the latest security updates, we always strongly recommend that users install security updates as soon as they are available."

Magento urged users to upgrade in order to protect against all known flaws, but also released a patch specifically for the SQL injection vulnerability in case users were unable to upgrade right away.