Recent cybersecurity research has unveiled a severe security vulnerability known as CosmicSting (CVE-2024-34102) that has compromised approximately 5% of all Adobe Commerce and Magento stores. This critical flaw, which has been assigned a CVSS score of 9.8, is linked to an improper restriction of XML external entity references (XXE), leading to potential remote code execution. Initially patched by Adobe in June 2024, the flaw has since become the target of extensive exploitation, with attacks occurring at a staggering rate of three to five compromised sites per hour.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CosmicSting to its Known Exploited Vulnerabilities (KEV) catalog in mid-July, underscoring the urgency of addressing this threat. Cybercriminals have been observed weaponizing this vulnerability to steal secret encryption keys used by Magento, allowing them to generate JSON Web Tokens (JWTs) that grant full administrative API access. By exploiting the Magento REST API, these attackers have injected malicious scripts into compromised systems, exacerbating the threat to online merchants.
The situation has grown more complicated, as subsequent attacks have linked CosmicSting to another vulnerability, CNEXT (CVE-2024-2961), found within the GNU C library (glibc). This combination enables threat actors to escalate their attacks to remote code execution, potentially taking complete control of affected systems. Security firm Sansec has emphasized that merely applying the latest patch is insufficient for protection; site owners must also take proactive measures to rotate their encryption keys and invalidate any old ones.
Several high-profile companies, including Ray-Ban, National Geographic, and Cisco, have reportedly fallen victim to these attacks. Multiple cybercriminal groups are participating in the exploitation efforts, employing various tactics to conceal their malicious activities. In light of these developments, Sansec urges merchants to upgrade to the latest versions of Magento or Adobe Commerce and implement stringent security measures to protect their online platforms. Failure to act could leave them vulnerable to persistent attacks that compromise customer data and undermine their business operations.
