Magento Flaw Exploited to Inject Persistent Backdoor into Ecommerce Sites

April 5, 2024

Sansec, a cybersecurity firm, has disclosed that a critical vulnerability in Magento, tracked as CVE-2024-20720, is being exploited by attackers to implant a persistent backdoor on ecommerce websites. This vulnerability, an OS command injection flaw that allows for arbitrary code execution without user interaction, was resolved by Adobe in its February 2024 Tuesday Patch updates for both Adobe Commerce and Magento. However, some websites that have not been updated remain susceptible to exploitation.

The attackers have found a novel way to exploit CVE-2024-20720, using a crafted layout template in the database to inject XML code capable of re-infecting Magento servers even after a manual fix has been implemented. Sansec explains, “Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands. Because the layout block is tied to the checkout cart, this command is executed whenever /checkout/cart is requested”.

In the observed attacks, the backdoor is incorporated into the automatically generated content management system (CMS) controller. This ensures the backdoor is periodically re-injected, providing persistent remote code execution through POST commands. The threat actors have utilized this mechanism to inject a counterfeit Stripe payment skimmer and exfiltrate payment data from the compromised online stores.

Users are urged to promptly update to Magento versions 2.4.6-p4, 2.4.5-p6 or 2.4.4-p7, and to scan their websites for potential signs of a malware infection.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.