Adobe has issued a security advisory regarding a severe vulnerability that affects Adobe Commerce and Magento Open Source. Adobe Commerce merchants have been targeted, and the vulnerability is currently being exploited in the wild. One of the most critical aspects of the Adobe vulnerability is that no authentication is required to carry out successful exploitation. This means that an attacker does not need to gain access to a user’s login credentials to exploit the flaw.
The second piece of information Adobe gave regarding this issue is that it does not require admin rights to exploit it. Adobe released three vulnerability rating metrics:
- Common Vulnerability Scoring System (CVSS)
- Priority
- Vulnerability Level
CVSS (Common Vulnerability Scoring System): CVSS (Common Vulnerability Scoring System) is an open standard designed by a non-profit (First.org) that scores vulnerabilities on a scale of 1 to 10. A vulnerability with a score of one is the least alarming, and one with a score of ten is the most serious.
Priority Level of Vulnerability: The priority measure has three levels: 1, 2, and 3. The most serious is level one, and the least serious is level three. The priority level of this exploit has been set to 1, which is the highest level. The vulnerabilities are actively exploited in websites at the level 1 priority level. This is the worst-case scenario for merchants because unpatched Adobe Commerce and Magento instances are exposed to hacking.
Moderate, important, and critical are Adobe’s vulnerability levels, with critical being the most hazardous. The Adobe Commerce and Magento Open source exploits have been awarded a critical vulnerability level, which is the most serious rating level.
The fact that Adobe admits it’s an Arbitrary Code Execution vulnerability makes this vulnerability even more concerning. In general, arbitrary code execution refers to the ability of an attacker to run virtually any code they want in order to carry out practically any action or instruction they choose.