CVE-2022-24086

What is Adobe Commerce / Magento?

Adobe Commerce (formerly Magento Commerce) and Magento Open Source are the world's most widely used open-source e-commerce platforms, powering hundreds of thousands of online stores globally. The platform handles product catalogs, shopping carts, checkout flows, payment processing, and order management. Because Magento stores process credit card data and contain customer PII, they are a perennial target for payment card skimming (Magecart) and data theft attacks.

Overview

CVE-2022-24086 is a pre-authentication remote code execution vulnerability in Adobe Commerce and Magento Open Source caused by improper input validation that enables server-side template injection. An unauthenticated attacker can inject malicious template directives through the checkout process, resulting in arbitrary PHP code execution on the server. CVSS 9.8 (Critical). Adobe issued an emergency out-of-band patch on February 13, 2022 — outside their normal patch cycle — indicating exploitation was already occurring. CISA added this to KEV just two days later, confirming active in-the-wild attacks.

Affected Versions

Technical Details

The vulnerability (CWE-20 — improper input validation) is a server-side template injection in the Magento checkout/order processing pipeline. Magento uses template rendering for email notifications, invoices, and order confirmations. Certain input fields — particularly in address or order comment fields during guest checkout — were passed to template rendering functions without sufficient sanitization.

An attacker can inject template directives that execute arbitrary PHP code:

• Using Magento's built-in template variables and filter syntax
• Template directives like and can reference PHP class methods
• Carefully crafted payloads can invoke exec() or similar OS command execution functions

The attack is achievable by any visitor to the store's checkout page — no customer account or prior authentication is needed (guest checkout is enabled on most stores).

Discovery

Adobe stated they were "aware that CVE-2022-24086 is being exploited in the wild in very limited attacks" in their advisory — language indicating targeted attacks had already been observed before the patch was published.

Exploitation Context

Magento/Adobe Commerce stores are targeted constantly by the Magecart group ecosystem, which implants JavaScript payment card skimmers. CVE-2022-24086 enables a more direct attack:

• Webshell deployment: Upload a PHP backdoor to a web-accessible directory for persistent access
• Payment skimmer injection: Modify Magento templates or JavaScript to inject card skimming code
• Database access: Execute SQL queries to extract customer payment data, credentials, and PII
• Supply chain attacks: Modify the store's JavaScript assets to distribute malware to customers

The emergency out-of-band patch — unusual for Adobe — signals that attacks were actively targeting high-value stores at the time of disclosure.

Remediation

1. Apply patch immediately: Upgrade to Magento 2.3.7-p3 or 2.4.3-p2 (or later). Adobe also released isolated patches for older supported versions in APSB22-12.
2. Enable Magento security patching: Subscribe to Adobe security notifications and apply security patches on the same-day cadence for Critical/Emergency bulletins.
3. Web Application Firewall: Deploy a WAF with Magento-specific rules blocking template injection patterns in checkout fields.
4. Disable guest checkout if unused: Reduces the attack surface for pre-auth vectors.
5. Monitor for webshells and file changes: Use file integrity monitoring on the Magento root directory. Unexpected PHP files or modified JavaScript assets may indicate compromise.
6. Review recent orders for suspicious data: If the patch was delayed, examine order logs around the vulnerability window for anomalous entries containing template syntax.