CVE-2024-34102

What is Adobe Commerce / Magento?

Adobe Commerce (formerly Magento Commerce) and Magento Open Source are the dominant e-commerce platform powering hundreds of thousands of online stores worldwide, from small retailers to major enterprise brands. Magento stores process customer payment card data, manage customer personally identifiable information (PII), and control the entire purchase transaction flow. This makes Magento a prime target for digital skimming (Magecart attacks): attackers who compromise a Magento store can inject malicious JavaScript that silently captures credit card numbers from every customer checkout. Magento has historically been heavily targeted by organized crime groups specializing in card theft.

Overview

CVE-2024-34102 — dubbed "CosmicSting" by researchers at Sansec — is an XML External Entity (XXE) injection vulnerability (CWE-611) in Adobe Commerce and Magento Open Source. An unauthenticated attacker can send a crafted XML request that triggers the XXE parser to read arbitrary files from the server filesystem, exposing Magento's configuration files which contain the application's encryption key. Combined with a separate iconv bug (CVE-2024-2961) in PHP's glibc iconv conversion, the encryption key theft enables full PHP deserialization attacks and unauthenticated remote code execution. Adobe patched the XXE in June 2024, but the mass exploitation wave hit within weeks — Sansec reported tens of thousands of stores compromised by late July 2024.

Affected Versions

Technical Details

Phase 1 — XXE to file read (CVE-2024-34102): Magento's product import/export functionality processes XML documents using PHP's SimpleXML or libxml parsers with external entity processing enabled. An attacker submits a crafted XML document containing an external entity reference (e.g., <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///app/etc/env.php">]>). The parser resolves the entity and returns the content of the referenced file.

Target file — app/etc/env.php: This is Magento's main configuration file, containing:

• The Magento crypt/key (encryption key) — used for all session tokens, OAuth tokens, and customer data encryption
• Database credentials (hostname, username, password)
• Other API keys and integration secrets

Phase 2 — Encryption key to RCE (CVE-2024-2961 / iconv chain): Researchers (including Positive Security) demonstrated that with the Magento crypt/key, an attacker can forge Magento session cookies and OAuth tokens, bypassing authentication entirely. Combined with a separate bug in PHP's iconv mb_convert_encoding() (CVE-2024-2961, a heap buffer overflow in glibc iconv), attackers can construct a PHP deserialization gadget chain that achieves OS command execution.

Magecart deployment: Post-exploitation, attackers typically inject JavaScript payment skimmers into Magento's checkout templates, silently capturing credit card numbers and CVVs from all future customer purchases.

Discovery

Ron Masas of Positive Security discovered and reported CVE-2024-34102 to Adobe. The exploitation chain combining it with CVE-2024-2961 was published by Charles Fol. Sansec tracked the resulting mass exploitation wave and coined the "CosmicSting" name for its widespread impact.

Exploitation Context

Sansec documented tens of thousands of Magento stores compromised via CosmicSting in July–August 2024, making it one of the largest mass-exploitation events in Magento's history. Multiple organized crime groups simultaneously exploited the vulnerability:

• Vacuum group: A sophisticated Magecart group that scraped Magento secret keys using the XXE and installed payment skimmers on hundreds of major retailer sites
• Bobry group and others: Multiple independent groups ran automated scanners to harvest vulnerable stores and deploy skimmers in bulk

The scale reflects how quickly mass Magento exploitation happens after a critical vulnerability: thousands of Magento operators failed to patch within the June–July 2024 window, exposing their customers' payment data.

Remediation

1. Apply Adobe APSB24-40 patches immediately — upgrade to Adobe Commerce/Magento 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, or 2.4.4-p9. The CISA deadline was August 7, 2024.
2. Rotate the Magento crypt/key immediately if the store was unpatched during June–July 2024 — the key must be considered compromised. Regenerate it via the Magento admin panel.
3. Audit checkout page JavaScript for injected payment skimmers: review all JavaScript loaded on checkout pages against known-good baselines, especially inline <script> tags and external JavaScript resources from unfamiliar domains.
4. Review Magento admin panel user accounts for unauthorized admin accounts created post-exploitation.
5. Rotate all credentials stored in app/etc/env.php (database password, API keys) if exploitation is suspected.
6. Enable Magento's XML external entity protection and disable entity resolution in the XML parsers used by Magento's import functionality — check whether patching the application is sufficient or whether LIBXML_NOENT flags need to be removed from custom code.
7. Notify payment card acquirer if payment data may have been exposed — PCI DSS incident response obligations apply.