The Magento team released a critical security patch (SUPEE-5344) to address a remote command execution (RCE) vulnerability back in February. It’s been more than two months since the release and still more than 50% of all the Magento installations have not been patched, leaving them open to attacks.
This means hundreds of thousands of websites are vulnerable right now, worst yet they are Ecommerce websites. This means that they are used to sell goods online, capturing personal identifiable information (PII), including credit card information. The impacts of Magento websites getting compromised can be devastating for every online buyer that uses or has used a website built on the platform.
This is a very serious vulnerability, it allows allows an attacker to run any command they want on the server, allowing them to take full ownership of the vulnerable online shop and it’s associated web server.
Full Disclosure Going Live in a couple of days
This vulnerability was discovered by the Check Point research team and reported to Magento back in January. They gave us an early warning to help spread the word to as many Magento admins we could. In a few days (likely this Monday or Tuesday – April 21st), they will release full details of the vulnerability on their blog. Once the details are released, it is expected that within hours there will be a working Proof of Concept (PoC) available for the masses. The severity of this issue cannot be understated, we cannot stress the importance of patching immediately.
If you own a Magento site, you must patch it immediately! Go to the download page, search for SUPEE-5344 and follow the instructions.
If you can not apply the patch, I highly recommend putting your site behind a Website Firewall (WAF) or Intrusion Prevention System (IPS).