Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting. Tracked as CVE-2024-34102 (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming, credited to a researcher named "spacewasp," was patched by Adobe in June 2024. Dutch security firm Sansec, which has described CosmicSting as the "worst bug to hit Magento and Adobe Commerce stores in two years," said the e-commerce sites are being compromised at the rate of three to five per hour. The flaw has since come under widespread exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog in mid-July 2024. Some of these attacks involve weaponizing the flaw to steal Magento's secret encryption key, which is then used to generate JSON Web Tokens (JWTs) with full administrative API access. The threat actors have then been observed taking advantage of the Magento REST API to inject malicious scripts. This also means that applying the latest fix alone is insufficient to secure against the attack, necessitating that site owners take steps to rotate the encryption keys. Subsequent attacks observed in August 2024 have chained CosmicSting with CNEXT (CVE-2024-2961), a vulnerability in the…Read More