CosmicSting Exploit Targets Adobe Commerce and Magento Stores, Impacting 5% of All Stores

October 2, 2024

Cybersecurity researchers have revealed that a security vulnerability, dubbed CosmicSting, has been exploited by malicious actors, resulting in the compromise of 5% of all Adobe Commerce and Magento stores. This critical flaw, tracked as CVE-2024-34102, could lead to remote code execution due to an improper restriction of XML external entity reference (XXE). The vulnerability was patched by Adobe in June 2024, but despite this, e-commerce sites are still being breached at a rate of three to five per hour.

Dutch security firm, Sansec, has described CosmicSting as the worst bug to affect Magento and Adobe Commerce stores in the past two years. The flaw has been widely exploited, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities catalog in mid-July 2024.

Some of the attacks have involved the use of the flaw to steal Magento's secret encryption key. This key is then used to generate JSON Web Tokens (JWTs) with full administrative API access. The threat actors have been seen leveraging the Magento REST API to inject malicious scripts. This suggests that the latest fix alone is not enough to secure against the attack, and site owners need to rotate the encryption keys.

In August 2024, subsequent attacks have combined CosmicSting with CNEXT (CVE-2024-2961), a vulnerability in the iconv library within the GNU C library (glibc), to achieve remote code execution. 'CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors can escalate to remote code execution, taking over the entire system,' Sansec stated.

The ultimate aim of these breaches is to establish persistent, covert access on the host via GSocket and insert rogue scripts that allow for the execution of arbitrary JavaScript received from the attacker in order to pilfer payment data entered by users on the sites. Several companies, including Ray Ban, National Geographic, Cisco, Whirlpool, and Segway, have been victimized by CosmicSting attacks, with at least seven distinct groups participating in the exploitation efforts.

'Merchants are strongly advised to upgrade to the latest version of Magento or Adobe Commerce,' Sansec advised. 'They should also rotate secret encryption keys, and ensure that old keys are invalidated.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.