Cybersecurity researchers have revealed that approximately 5% of all Adobe Commerce and Magento stores have been compromised by cybercriminals exploiting a severe security vulnerability known as CosmicSting. This flaw, officially tracked as CVE-2024-34102, holds a critical CVSS score of 9.8 and stems from an improper restriction of XML external entity (XXE) references, potentially allowing attackers to execute remote code. The vulnerability was initially discovered by a researcher known as “spacewasp” and patched by Adobe in June 2024, but the window of exploitation left many sites exposed.
Sansec, a Dutch cybersecurity firm specializing in e-commerce security, described CosmicSting as the “worst bug to hit Magento and Adobe Commerce stores in two years.” According to their findings, compromised e-commerce sites are being attacked at an alarming rate, with three to five stores falling victim to malicious actors every hour. These cyberattacks are particularly concerning due to the widespread use of Adobe Commerce and Magento in online businesses, putting customer data and transactions at significant risk.
Following the rapid spread of these attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CosmicSting to its Known Exploited Vulnerabilities (KEV) catalog in mid-July 2024. This move signals the severity of the vulnerability, as it continues to be actively exploited by hackers worldwide. CISA’s inclusion of CosmicSting in the KEV catalog underscores the importance of addressing this flaw promptly to prevent further security breaches in online stores.
In several cases, attackers have been able to use CosmicSting to steal Magento’s secret encryption key. With this key, cybercriminals can generate JSON Web Tokens (JWTs), granting them full administrative API access to the targeted system. This access enables the attackers to exploit the Magento REST API, allowing them to inject malicious scripts into the platform. These scripts can then be used to further compromise the store, potentially stealing sensitive data or introducing additional vulnerabilities.
To make matters worse, researchers observed a series of more complex attacks in August 2024, where threat actors chained CosmicSting with another vulnerability, CNEXT (CVE-2024-2961), found in the iconv library of the GNU C library (glibc). This combination allows attackers to escalate their access from file reading to full remote code execution, effectively taking control of the entire system. The attackers’ ultimate goal is to establish persistent, covert access to the compromised server via tools like GSocket and to inject rogue JavaScript scripts that can steal payment data entered by customers, creating a serious threat to both businesses and their customers.