Magento Flaw Exploited to Inject Persistent Backdoor into Ecommerce Sites

April 5, 2024

Sansec, a cybersecurity firm, has disclosed that a critical vulnerability in Magento, tracked as CVE-2024-20720, is being exploited by attackers to implant a persistent backdoor on ecommerce websites. This vulnerability, an OS command injection flaw that allows for arbitrary code execution without user interaction, was resolved by Adobe in its February 2024 Tuesday Patch updates for both Adobe Commerce and Magento. However, some websites that have not been updated remain susceptible to exploitation.

The attackers have found a novel way to exploit CVE-2024-20720, using a crafted layout template in the database to inject XML code capable of re-infecting Magento servers even after a manual fix has been implemented. Sansec explains, “Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands. Because the layout block is tied to the checkout cart, this command is executed whenever /checkout/cart is requested”.

In the observed attacks, the backdoor is incorporated into the automatically generated content management system (CMS) controller. This ensures the backdoor is periodically re-injected, providing persistent remote code execution through POST commands. The threat actors have utilized this mechanism to inject a counterfeit Stripe payment skimmer and exfiltrate payment data from the compromised online stores.

Users are urged to promptly update to Magento versions 2.4.6-p4, 2.4.5-p6 or 2.4.4-p7, and to scan their websites for potential signs of a malware infection.

Latest News

• Ivanti Patches High-Risk Vulnerabilities in VPN Gateways
• Google Addresses Additional Chrome Zero-Day Exploited at Pwn2Own
• Google Patches Two Zero-Day Vulnerabilities in Pixel Phones Exploited by Forensic Firms
• Mispadu Banking Trojan Spreads Across Europe, Compromising Thousands of Credentials
• Binarly Introduces Free Online Scanner to Detect Linux Backdoor