Cyber Resilience

CVE-2024-20720

CriticalRCE

Published: 15 February 2024

Published
15 February 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0720 91.8th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20720 is a critical-severity OS Command Injection (CWE-78) vulnerability in Adobe Commerce. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier contain an OS command injection vulnerability (CWE-78) that permits arbitrary code execution. The flaw stems from improper neutralization of special elements in operating system commands and carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low complexity, high privileges required, no user interaction, changed scope, and high impact on confidentiality, integrity, and availability.

An authenticated attacker with administrative privileges can send crafted input over the network to trigger command execution on the affected server, resulting in full control of the application and underlying system without any victim interaction.

Adobe has published advisory APSB24-03 at https://helpx.adobe.com/security/products/magento/apsb24-03.html, which addresses the issue for Magento/Adobe Commerce and directs customers to the corresponding security patches. The associated EPSS score has remained modest, with a current value of 0.0720 and a recorded peak of 0.0844.

EU & UK References

Vulnerability details

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue…

more

does not require user interaction.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
commerce
2.4.4, 2.4.5, 2.4.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References