CVE-2024-20720

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier

Description The issue is related to an improper neutralization of special elements used in an OS command, which could lead to arbitrary code execution by an attacker. This vulnerability allows threat actors to sneak a persistent backdoor into e-commerce sites and deploy skimmers to steal financial data. Exploitation of this issue does not require user interaction. It has been reported that hackers are exploiting this flaw to steal payment data from e-commerce websites, with estimated targets including over 139,817 websites, mainly distributed in the United States, Germany, and other countries. Six cybercriminals have been charged with stealing data from 160,000 cards through this vulnerability.

Recommendations For Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier: Update to Magento versions 2.4.6-p4, 2.4.5-p6, or 2.4.4-p7 to prevent exploitation. As a temporary workaround, consider restricting access to vulnerable modules or functions to minimize the risk of exploitation. Avoid using vulnerable API endpoints or parameters until the issue is resolved.