CVE-2022-24086
Published: 16 February 2022
Summary
CVE-2022-24086 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Adobe Commerce. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Commerce versions 2.4.3-p1 and earlier along with 2.3.7-p2 and earlier contain an improper input validation flaw (CWE-20) in the checkout process. The issue carries a CVSS 3.1 score of 9.8 and stems from insufficient validation of untrusted data supplied during order processing.
An unauthenticated attacker can send specially crafted input over the network to trigger arbitrary code execution on the affected server without any user interaction. Successful exploitation grants the attacker full control over the application and underlying system.
Adobe’s security bulletin APSB22-12 details the affected releases and directs customers to apply the supplied patches. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, confirming observed in-the-wild use.
The associated EPSS score has remained consistently high, reaching a peak of 0.9385, indicating sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0975
Vulnerability details
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
- CWE(s)
- KEV Date Added
- 15 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to the checkout process, blocking the crafted payloads that trigger arbitrary code execution in this CVE.
Mandates timely application of vendor patches for the known input-validation flaw listed in APSB22-12 and CISA KEV.
Requires continuous vulnerability scanning to identify unpatched Adobe Commerce instances susceptible to this unauthenticated RCE.