Sansec logo

CosmicSting attack threatens 75% of Adobe Commerce stores


by Sansec Forensics Team

Published in Threat Research − June 18, 2024

One week after the release of a critical security fix, just a quarter of all Adobe Commerce and Magento stores has been patched.

CosmicSting attack threatens 75% of Adobe Commerce stores
Update June 27th: Adobe has now provided an official, isolated fix that can be applied to installations without requiring upgrade.
Update June 27th: our partner Hypernode as actually observed the first scanning & actual abuse in the wild. If you haven't patched, do so now!
Update June 23th: Sergey Temnikov (aka spacewasp), who discovered the original issue, alerted us that third parties may gain API admin access without requiring a vulnerable Linux version (the iconv issue), which makes CosmicSting even more severe. He also suggested an improved emergency fix.

Read his analysis ⟶
How I Was Paid $9,000 for a Critical Vulnerability in Adobe Commerce

CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years. In itself, it allows anyone to read private files (such as those with passwords). However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution. This killer bug grants full control to adversaries and the attack can be automated, which may lead to mass-hacks on a global scale. (Update July 1st: this is happening right now!)

Typeunauthorized XXE, RCE together with CVE-2024-2961
SeverityCVSS 9.8
Automatableno interaction needed
Exploitverified by Sansec, not public yet
Creditsdiscoverd by spacewasp

"It's a bad one"

Its record severity score of 9.8 on the Common Vulnerability Scoring System (CVSS), a 10-point scale, prompted this Adobe statement:

It's a bad one and you should patch. It's likely only a matter of time before somebody posts an analysis and reproduction steps.

Adobe issued a patch for CosmicSting attacks last week. While Adobe (naturally) did not share specifics of the attack, Sansec was able to reproduce the attack from the patch code. We believe bad actors are already working on the same.

For context: similarly critical security issues have occurred only three times before in Magento’s history:

At each of these occasions, tens of thousands of stores got hacked, sometimes within hours. So it is vital to upgrade your stores as soon as possible.

Attack patterns

As of June 27th, we see actual attack and mass scanning attempts in the wild. We list attacker infrastructure so you may update your firewalls:

Upgrade concerns

Sansec - who monitors global eCommerce platforms - found that just 25% of stores have upgraded since the security release last week. A complicating factor is that the security release may break existing checkout functionality. Adobe backported the PCI-imposed CSP/SRI implemention from 2.4.7. This will likely break third party Javascript and inline scripts in your checkout flow. Sansec recommends switching to 'Report-Only' mode before upgrading. This way, your checkout will keep working, and you will have sufficient time to investigate incompatible modules before the new PCI requirements come into effect in April 2025.

It is also recommended to enable CSP monitoring. Sansec offers a free CSP monitoring service which you can setup in a few minutes.

Emergency fix

Previously Sansec provided an emergency fix, but as of June 27th, Adobe now provides an official, isolated security fix that can be applied all the way back to Magento 2.2.0, without having to upgrade. If you had previously applied the Sansec fix, we recommend to replace it with the the official Adobe patch.

Read more

Scan your store now
for malware & vulnerabilities

$ curl | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
Privacy & Cookie Policy
Company Reg 77165187
Tax NL860920306B01