Light Dark
April 3, 2019 By Shane Schick 2 min read

Security researchers discovered a Magento flaw that could allow threat actors to penetrate and control features within the popular e-commerce site without authentication.

The Adobe-owned company rushed to offer a patch after a blog post on Sucuri late last week outlined details of an injection vulnerability dubbed PRODSECBUG-2198. Cybercriminals would have to download and crack the necessary password hashes to exploit the vulnerability, but once they do, it would be relatively simple to skim credit card numbers or install backdoors.

In fact, the Magento flaw was given a rating of 8.8, or “very easy” in terms of how readily it could be used to target e-commerce sites.

Reverse Engineering the Magento Flaw

To prove the severity of the threat, researchers said they were able to reverse engineer the official patch and create a working proof of concept of how it might be used by attackers. The vulnerability threatens e-commerce sites that use both the commercial edition of Magento and the open-source version and may go back to some of the product’s earliest releases.

So far, attacks in the wild have not been reported. However, researchers said cybercriminals could use the Magento flaw to inject SQL commands to steal admin rights, usernames and passwords, and other sensitive information. Worse, such attacks could be automated to target a wider pool of vulnerable e-commerce sites simultaneously — a serious concern given that Magento has an estimated 300,000 customers.

The patch subsequently released by Magento covers several other bugs. In the meantime, the researchers recommended monitoring for multiple hits to paths such as /catalog/product/frontend_action_synchronize, which might indicate threat actor are trying to exploit the vulnerability.

Assess Your Patch Management Posture

Effective patch management is critical to defend against threats exploiting the Magento vulnerability. Patch posture reporting can help security teams determine the severity of the threat, when a patch was released, whether other patches have since superseded it and even which machines might be offline for repair. This enables the organization to measure the effectiveness of both its patch management processes and the patches themselves in remediating threats.

 |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature