It wouldn’t be the Friday before a three-day weekend without a new vulnerability. Or, a new vulnerability from a familiar face. Last week, @Peter-Automox wrote about Adobe’s out-of-band updates to patch a critical vulnerability in Adobe Commerce and Magento Open Source. That vulnerability, CVE-2022-24086, is an improper input validation flaw that allows arbitrary code execution and nets a 9.8/10 CVSS score. For this vulnerability, Adobe has released an out-of-band update on Monday, February 14th to remediate the vulnerability.

But the fun doesn’t stop there! Adobe has revised the initial security bulletin to include another emergency patch for another zero-day discovered in Magento and Commerce. This new vulnerability, CVE-2022-24087, is also an improper input validation issue similar to their previous vulnerability.

This new vulnerability is equally as severe, with a 9.8/10 CVSSv3.1 score, but Adobe is not aware of any exploitation in the wild of this vulnerability. We recommend prioritizing patching as soon as possible for both vulnerabilities since Magento has been a target for attackers. For recommended remediation and next steps, check out the Automox blog.