How to fix CVE-2022-24086 — critical security vulnerability in Adobe Commerce and Magento Open Source?

Posted by: admin

Adobe has released urgent security updates for Adobe Commerce and Magento Open Source on Sunday, February 13th. CVE-2022-24086 is a critical vulnerability that experts compare to the Magento Shoplift vulnerability from 2015. That one led to thousands of websites being hacked in just a few days because it offers unauthenticated remote code execution, meaning hackers can easily penetrate and take control of your site if you’re running on affected versions.

Affected products and versions

Adobe Commerce2.4.3-p1 and earlier versions
2.3.7-p2 and earlier versions  
Magento Open Source2.4.3-p1 and earlier versions   
2.3.7-p2 and earlier versions


To resolve the vulnerability, apply one of the following attached patches:

The patches were tested to resolve the issue for all versions from 2.3.3-p1 to 2.3.7-p2 and 2.4.0 to 2.4.3-p1.

How to apply a composer patch provided by Adobe

Here are the steps to apply a composer patch for Adobe Commerce on-premises, Adobe Commerce on cloud infrastructure, and Magento Open Source.

How to apply a composer patch for Adobe Commerce on cloud infrastructure

  1. If you do not have a directory named m2-hotfixes in the project root, please create one.
  2. Copy the %patch_name%.composer.patch file(s) to the m2-hotfixes directory.
  3. Add, commit, and push your code changes:

    git add –A
    git commit -m "Apply %patch_name%.composer.patch patch"
    git push origin

For additional information about applying patches to Cloud projects, see Apply patches in Magento developer documentation.

How to apply a composer patch for Adobe Commerce on-premises and Magento Open Source

  1. Upload the patch to your Adobe Commerce on-premises or Magento Open Source root directory.
  2. Run the following SSH command:

    patch -p1 < %patch_name%.composer.patch

    (If the above command does not work, try using -p2 instead of -p1)
  3. For the changes to be reflected, refresh the cache in the Admin under System > Cache Management.

If you are not confident about installing such a critical patch yourself or your development team is not available to do it for you, we offer help!

More information can be found at:

About admin

I am a very motivated and enthusiastic person, highly creative, and recognized as a result-oriented and solution-focused individual.

Add a comment