April 3, 2019 By Shane Schick 2 min read

Security researchers discovered a Magento flaw that could allow threat actors to penetrate and control features within the popular e-commerce site without authentication.

The Adobe-owned company rushed to offer a patch after a blog post on Sucuri late last week outlined details of an injection vulnerability dubbed PRODSECBUG-2198. Cybercriminals would have to download and crack the necessary password hashes to exploit the vulnerability, but once they do, it would be relatively simple to skim credit card numbers or install backdoors.

In fact, the Magento flaw was given a rating of 8.8, or “very easy” in terms of how readily it could be used to target e-commerce sites.

Reverse Engineering the Magento Flaw

To prove the severity of the threat, researchers said they were able to reverse engineer the official patch and create a working proof of concept of how it might be used by attackers. The vulnerability threatens e-commerce sites that use both the commercial edition of Magento and the open-source version and may go back to some of the product’s earliest releases.

So far, attacks in the wild have not been reported. However, researchers said cybercriminals could use the Magento flaw to inject SQL commands to steal admin rights, usernames and passwords, and other sensitive information. Worse, such attacks could be automated to target a wider pool of vulnerable e-commerce sites simultaneously — a serious concern given that Magento has an estimated 300,000 customers.

The patch subsequently released by Magento covers several other bugs. In the meantime, the researchers recommended monitoring for multiple hits to paths such as /catalog/product/frontend_action_synchronize, which might indicate threat actor are trying to exploit the vulnerability.

Assess Your Patch Management Posture

Effective patch management is critical to defend against threats exploiting the Magento vulnerability. Patch posture reporting can help security teams determine the severity of the threat, when a patch was released, whether other patches have since superseded it and even which machines might be offline for repair. This enables the organization to measure the effectiveness of both its patch management processes and the patches themselves in remediating threats.

More from

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today