CosmicSting: A Critical XXE Vulnerability in Adobe Commerce and Magento (CVE-2024-34102)

Category	Details
Threat Actors	Not explicitly mentioned.
Campaign Overview	Exploits “CosmicSting” vulnerability (CVE-2024-34102) in Adobe Commerce and Magento, targeting e-commerce platforms globally.
Target Regions	Global (affects over 140,000 Magento instances worldwide).
Methodology	Exploits unauthenticated XML External Entity (XXE) vulnerability via REST API endpoints, enabling sensitive file access and potential RCE.
Product Targeted	Adobe Commerce and Magento Open Source versions before 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, and 2.4.4-p9.
Malware Reference	Potential injection of malicious “eskimmer” JavaScript to scrape form data and exfiltrate it to attacker-controlled domains.
Tools Used	Proof-of-concept exploits, Snort IDS/IPS, Splunk queries, Tetragon eBPF observability agent, synthetic transaction monitoring tools.
Vulnerabilities	CVE-2024-34102 (CVSS 9.8), XXE vulnerability triggered via nested deserialization and unsafe XML entity handling.
TTPs	- Crafting malicious JSON payloads - Exploiting REST API endpoints - Chaining with other issues for RCE - Exfiltration of sensitive files (e.g., /etc/passwd).
Attribution	No explicit attribution mentioned.
Recommendations	- Apply latest patches. - Implement WAF rules. - Use network segmentation. - Conduct security audits. - Monitor logs. - Enforce least privilege.
Source	Splunk

Read full article: https://www.splunk.com/en_us/blog/security/cosmicsting-a-critical-xxe-vulnerability-in-adobe-commerce-and-magento.html

Disclaimer: The above summary has been generated by an AI language model