Adobe announced a critical vulnerability affecting Adobe Commerce and Magento Open Source. Adobe Commerce merchants have been attacked and the exploitation of the vulnerability is in the wild right now.
An important detail of the vulnerability that Adobe shared is that no authentication is necessary in order to successfully execute a successful exploitation.
That means that an attacker doesn’t need to acquire a user login privilege in order to exploit the vulnerability.
The second detail about this exploit that Adobe shared is that admin privileges are not necessary for exploiting this vulnerability.
Adobe Vulnerability Ratings
Adobe published three rating metrics for vulnerabilities:
- Common Vulnerability Scoring System (CVSS)
- Priority
- Vulnerability Level
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is an open standard developed by a non-profit (First.org) that is based on a scale of 1 to 10 to score vulnerabilities.
A score of one is the least concerning and a score of ten is the highest level of severity of a vulnerability.
The CVSS score for the Adobe Commerce and Magento vulnerability is 9.8.
Vulnerability Priority Level
The priority metric has three levels, 1, 2, and 3. Level 1 is the most serious and level three is the least serious.
Adobe has listed the priority level of this exploit as 1, which is the highest level.
Level 1 priority level means that the the vulnerabilities are being actively exploited in websites.
This is the worst-case scenario for merchants because it means that unpatched instances of Adobe Commerce and Magento are vulnerable to being hacked.
Adobe’s definition of Priority Level 1 is:
“This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.
Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours).”
Vulnerability Level
Adobe’s vulnerability levels are named moderate, important and critical, with critical representing the most dangerous level.
The vulnerability level assigned to the Adobe Commerce and Magento Open source exploit is rated as critical, which is the most dangerous rating level.
Adobe’s definition of the critical rating level is:
“A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.”