A vulnerability in Adobe’s Magento 2 software is currently being actively exploited by attackers. However, victims should also look in the mirror, because there has been a patch for a year and a half.

It’s not because a vulnerability has a score of 9.8 and is therefore critical, which is why you need to patch it. That’s what several owners of webshops running on Adobe Magento 2 thought. In February 2022, it turned out that this software was subject to a bug that attackers could relatively easily exploit when making payments in a web shop. Adobe released a patch, but some users ignored it and are now getting the cover on their noses.

Russian origin

According to Akamai, criminals have been targeting the vulnerability since the beginning of this year. Hackers can then steal data such as payment statistics. They also install a web shell and register it under the name as a Magneto component Google Shopping Ads, which looks real. Akamai sees tracks that strongly suggest the attackers are from Russia.

Above all, the attack shows how difficult and important patching is. Online store owners who failed to patch the critical security hole last year are now facing the consequences. For their part, attackers know that a vulnerability can still be relevant years after its discovery, precisely because so many people are still lax about their patching policies.