Sansec reports highlight a CVE-2024-20720 vulnerability in Magento core, affecting Adobe and Open Source versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, and earlier ones. Adobe promptly patched the issue in its code back in February 2024. But if your store hasn’t been updated, it may still be at risk.
Let’s review the situation, address concerns, and revisit the key steps necessary for securing your store.
Magento Persistent Backdoor Vulnerability: Overview
CVE-2024-20720, known as an "XML backdoor," is an OS Command Injection vulnerability that originated within Magento's core system. It allows for arbitrary code execution, enabling the execution of commands whenever the checkout cart is accessed. Worse still, the malware is designed to reinject itself, so it will return even after removal.
During the reporting of this vulnerability, one of Amasty’s modules was mentioned in sample XML codes, illustrating how attackers exploited the extension’s layout block. But we'd like to emphasize that the vulnerability did not originate from Amasty’s extension, nor was it possible only due to the module’s code. Just as the reports state, the issue stemmed from and became exploitable due to a flaw in Magento’s core XML processing functionality.
Adobe acted very quickly and released a patch in February 2024 to address this flaw in both Magento OS and Adobe Commerce. Any version of Magento that is 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, or higher includes a patch to prevent such payloads from executing. The update (referenced as APSB24-03) is available on the Adobe Security Bulletin and should be applied immediately if not already done.
Category | Impact | Severity | Authentication required? | Admin privileges required? | CVSS base score | CVSS vector | CVE number(s) |
---|---|---|---|---|---|---|---|
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) | Arbitrary code execution | Critical | Yes | Yes | 9.1 | CVSS:3.1 / AV:N / AC:L / PR:H / UI:N / S:C / C:H / I:H / A:H | CVE-2024-20720 |
How to Protect Your Magento Store from CVE-2024-20720
The XML backdoor vulnerability, though fixed in February 2024, remains a threat to any store still running older versions of Magento. If you haven't updated your Magento store to the latest version, now’s the time to act.
Here’s what you need to do:
1. Check Your Magento Version
First, verify if your Magento store is running the latest Magento version. You can check if your store is up to date in 2 ways:
Method 1: From the Admin Panel
- Log in to your Magento Admin.
- Scroll to the bottom of any admin page: Catalog, Stores, System, etc.
- Look for the “Magento Version” label in the footer, where you’ll find the current version number.
Method 2: Using the Command Line
- Access your server using SSH.
- Navigate to your Magento installation directory.
- Run the following command: php bin/magento --version that will display the Magento version installed on your server.
If your version is older than 2.4.6-p4, 2.4.5-p6, or 2.4.4-p7 (patched in February 2024), you need to apply the latest updates to safeguard your store from the XML backdoor.
2. Update Magento Core
If your Magento store is not up to date, you have several options for applying the latest security patches and updates.
🔄 Request Update Services
We understand that updating Magento can be complex, especially when you don’t have an IT team in-house. If you’d prefer a hassle-free solution, you can request our Magento 2 upgrade services – and move to a more recent, secure version. We will handle the entire process, ensuring your store is updated securely and without disruption.
⭯ Perform Magento Update Yourself
For those who prefer to manage updates on their own, we recommend following our detailed guide on upgrading Magento. This step-by-step article outlines 3 ways to upgrade your Magento 2, helping you choose the method that best fits your needs.
🔐 Install Security Patches
In case you’re not ready to update to a more recent Magento version, the least you should do is install the latest security patches. You can either try doing it yourself or request our security patch installation services. We guarantee the installation of the February 2024 patch to protect your store from XML threats while minimizing downtime.
3. Test Your Store
After updating, thoroughly test your store’s key functionalities. Make sure that your checkout process, product pages, and admin panel are operating as expected. Keep an eye out for any issues and refer to Magento’s troubleshooting guide if you encounter problems.
Risks of Staying on Earlier Versions
Neglecting to update your store exposes it to the XML backdoor exploit, leaving it vulnerable to attacks. Cybercriminals can exploit this vulnerability to inject harmful code into your Magento store, which may lead to severe consequences, including:
- Unauthorized Access – Attackers can gain control over sensitive areas of your store, allowing them to manipulate data or perform unauthorized transactions.
- Data Breaches – Compromised customer data can result in significant financial losses and legal repercussions, as personal and payment information may be exposed.
- Loss of Customer Trust – A security breach can severely damage your reputation, leading to a decline in customer confidence and loyalty, which can be difficult to rebuild.
Make sure to update your Magento instance to protect your store from this vulnerability and gain access to additional security enhancements included in the patch. Don’t wait and ensure a safe shopping experience for your customers as soon as possible.
Take Charge of Your Magento Security
Amasty remains committed to helping customers keep their stores secure. While Magento core updates are beyond our control, we actively ensure that our modules are built and maintained to the highest security standards. We’re also here to help you maintain an efficient and safe e-commerce ecosystem.
We strongly recommend updating your Magento installation immediately to safeguard your store, your customers, and your reputation. If you have any questions about securing your store or updating your Amasty modules, don’t hesitate to reach out to us.