Critical Security Update for Adobe Commerce (Magento) Users

By Source Defense

In the rapidly evolving world of e-commerce, security remains a top priority. As part of our ongoing commitment to protecting our customers, we bring to your attention an important update to Adobe Commerce (Magento). This update underscores the urgent need to take immediate action to protect customer data. This is the second time in as many weeks that a large-scale client-side attack has been disclosed – supporting the PCI Council’s decision to add eSkimming controls to PCI DSS 4.0 and underscoring the fact that waiting for a compliance deadline is a risky decision.

Security threats have been recently detected

Over the past few days, we have observed several client-side attacks targeting sites using Adobe Commerce. These attacks, originating from third parties on the site, exploited a critical security flaw known as CosmicSting (CVE-2024-34102). This vulnerability allows unauthorized access to private files, including those containing sensitive information such as passwords. When combined with the recent iconv bug on Linux, it creates a risk of remote code execution.

Critical Adobe Security Patch

In response to these threats, Adobe has released a critical security patch to address the CosmicSting vulnerability. We strongly encourage all Adobe Commerce users to immediately apply this patch to protect their sites from potential exploitation. Details and a download for this patch are available on the Adobe website.

Our response and your protection

We identified the sites that were affected by these attacks. Thanks to our advanced security measures, Source Defense was able to protect our customers from client-side attacks from third parties on their sites. In particular, we prevented the skimmer from accessing credit card data and notified our customers about the domain the script was trying to send data to. This domain was then added to our blacklist.

One of our customer security engineers noted: “The data provided by Source Defense is critical to understanding the attack and offers insights we could not have obtained from any other source.”

Impact on large companies

This attack did not discriminate based on the size or industry of the target. We found evidence of the same vulnerability being exploited at massive companies, including a $180 billion medical device manufacturer and a $1.4 billion global manufacturer. The widespread nature of this attack underscores the importance of acting quickly to secure your site.

Understanding the attack vector

Recent attacks have allowed attackers to inject code into HTML without directly accessing the database. This was achieved either by calling a script from a remote server or by embedding the script as a first-party element that sent data to a malicious domain. The image below shows an example of how attackers added their script to the page, along with a screenshot of the obfuscated code used:

Protect your website

The recent attacks underscore the need for robust security measures to protect your e-commerce platform. It is important to note that a Content Security Policy (CSP) would not have prevented these attacks because they originated from trusted domains.

Act now to ensure compliance and security

As the March 2025 PCI DSS 4.0 compliance deadline approaches, online payment organizations must inventory, justify, and audit all code in the online transaction process. Waiting to implement these measures can result in compliance bottlenecks and increased exposure to attacks. Source Defense solutions are essential to meeting these requirements and avoiding compliance breaches.

Why defend the source

Source Defense provides an additional layer of security that helps prevent unauthorized scripts from accessing sensitive information and provides real-time visibility into script behavior. This proactive approach allows you to receive notifications and prevent any deviations from expected script behavior, protecting your platform from emerging threats.

Application

The cybersecurity landscape is constantly evolving, and staying up-to-date with the latest threats and patches is key. By applying an Adobe security patch and leveraging Source Defense protection, you can ensure that your site remains secure and resilient to potential attacks.

Our solutions not only protect against eSkimming attacks, but also provide compliance with PCI DSS 4.0 6.4.3 and 11.6.1 requirements, making them essential as the compliance deadline approaches. Don’t wait – take action now to secure your e-commerce platform and ensure compliance.

If you have any questions or need help, please do not hesitate to contact us. Your safety is our priority and we are here to support you every step of the way.

The article Critical security update for Adobe Commerce (Magento) users appeared first on Source Defense.

***This is a blog syndicated by the Security Bloggers Network from Blog | Source Defense, authored by [email protected]. Read the original post at: https://sourcedefense.com/resources/critical-security-update-for-adobe-commerce-magento-users/