Security updates for arbitrary code execution vulnerability in Adobe Commerce and Magento Open source.


This week Adobe released a security bulletin APSB22-12 dedicated to a vulnerability CVE-2022-24086. Its exploitation could allow arbitrary code execution. The flaw received a CVSS score of 9.8 out of a possible 10, marking it as critical. Adobe also stated that their internal security team discovered the issue, so the vulnerability has been exploited in very limited attacks.

The affected Adobe Commerce and Magento Open source versions are 2.4.3-p1 and earlier and 2.3.7p2 and earlier up to 2.3.3. 2.3.3 and lower were not affected.

The security update named MDVA-43395_EE_2.4.3-p1_v1 was released and can be installed manually or using Composer. It was tested for compatibility with all versions from 2.3.3-p1 to 2.3.7p-2 and 2.4.0 to 2.4.3-p1. The update is available both for Adobe Commerce and Magento Open source.

The update contains changes applied to two files:



Obviously, the vulnerability is related to Directive Processor, since Adobe Commerce and Magento Open source versions 2.3.3 and before do not have the file VarDirective.php and any files for  DirectiveProcessorInterface.

Reading next


Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.