Adobe / Magento released an emergency patch on Sunday February 13th for all Magento 2.3.3-p1 and higher stores. The Security Bulletin (APSB22-12) describes a remote code execution (rce) vulnerability for Magento 2 stores (both Commerce and Open Source).

An RCE allows a hacker to run code or upload a file on a store without needing any special privileges. It is the worst kind of vulnerability for ecommerce software. Adobe indicated that it was already being exploited “in the wild”.

The patch is a small 2 file adjustment that stops the vulnerability through better sanitizing inputs. The fix is seamless and does not cause any issues in M2 stores.

All Magento 2.3.3-p1 and higher stores hosted with LexiConn have been patched against this vulnerability. We have not detected any active exploits that used this entry point on our network.

If you have any questions about this patch, please let us know.