**Name of the Vulnerable Software and Affected Versions:**

Adobe Commerce versions 2.4.3-p1 and earlier

Adobe Commerce versions 2.3.7-p2 and earlier

Magento Open Source versions 2.4.3-p1 and earlier

Magento Open Source versions 2.3.7-p2 and earlier

**Description:**

This vulnerability involves an improper input validation issue during the checkout process. Exploitation does not require user interaction and could result in arbitrary code execution. Reports indicate an ongoing server-side template injection campaign, dubbed “Xurum”, actively exploiting this flaw. The campaign has been observed since at least January 2023, and has compromised over 500 sites. Attack vectors include creating malicious client accounts with crafted code in name/surname fields, injecting backdoors via VAT fields in orders, and replacing core files with malicious versions. Successful exploitation allows attackers to gain full database access and execute PHP processes.

**Recommendations:**

Adobe Commerce versions prior to 2.4.3-p1

Adobe Commerce versions prior to 2.3.7-p2

Magento Open Source versions prior to 2.4.3-p1

Magento Open Source versions prior to 2.3.7-p2