Cyber Resilience

CVE-2024-34102

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 13 June 2024

Published
13 June 2024
Modified
23 October 2025
KEV Added
17 July 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9417 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34102 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Adobe Commerce. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier contain an XXE vulnerability (CWE-611) that permits arbitrary code execution. The flaw stems from improper restriction of XML external entity references and carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated attacker can send a crafted XML document containing malicious external-entity references directly to the affected application, resulting in full compromise of confidentiality, integrity, and availability. Exploitation does not depend on any prior foothold or victim action.

Adobe’s APSB24-40 advisory addresses the issue, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog. The associated EPSS score has reached a peak of 0.9733 with a current value of 0.9417, indicating sustained and substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML…

more

document that references external entities. Exploitation of this issue does not require user interaction.

CWE(s)
KEV Date Added
17 July 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
commerce
2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6
adobe
commerce webhooks
1.2.0 — 1.5.0
adobe
magento
2.4.4, 2.4.5, 2.4.6, 2.4.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of XML input to block external entity references that enable the unauthenticated code execution in this CVE.

prevent

Mandates timely application of vendor patches (APSB24-40) that remediate the CWE-611 XXE flaw before exploitation occurs.

prevent

Enforces disabling unnecessary XML parser features such as external entity resolution on affected Adobe Commerce endpoints.

References