A critical vulnerability has been discovered in multiple versions of Adobe Commerce that could allow an unauthenticated remote attacker to take complete control of an affected e-commerce site. This flaw, rooted in improper input validation, could lead to severe business consequences, including the theft of sensitive customer data, financial fraud, and significant reputational damage. Immediate patching is required to mitigate this high-risk threat.

The vulnerability is classified as Improper Input Validation. A remote, unauthenticated attacker can send a specially crafted request to a publicly accessible application endpoint. The application fails to properly sanitize the input data within this request before passing it to a backend component, which could lead to arbitrary code execution on the server. An attacker does not need any prior authentication or user interaction to exploit this flaw, making it highly critical and easily weaponized.

This vulnerability is of critical severity with a CVSS score of 9.1. Successful exploitation would grant an attacker full control over the underlying server hosting the Adobe Commerce platform. This could result in the complete compromise of the e-commerce environment, leading to the theft of the entire customer database, including Personally Identifiable Information (PII) and payment card data. Further impacts include financial loss through fraudulent transactions, service disruption, website defacement, and the use of the compromised server to attack other systems, causing severe reputational and legal damage.

Immediate Action:

• Immediately apply the security updates provided by Adobe to patch all affected Adobe Commerce instances. Upgrade to the latest secure version as recommended in the vendor's security bulletin.
• Before patching, create a full backup of the application and database.
• After patching, verify that the application is fully functional.

Proactive Monitoring:

• Review web server access and error logs for unusual or malformed requests, particularly those targeting application APIs with long, encoded strings or suspicious payloads.
• Monitor for any unexpected outbound network connections from the Adobe Commerce servers, which could indicate a successful compromise and communication with a command-and-control server.
• Implement file integrity monitoring to detect unauthorized changes to core application files.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with virtual patching rules designed to inspect and block requests attempting to exploit this vulnerability.
• Restrict access to all administrative interfaces to trusted IP addresses only.
• Ensure the web server process runs with the lowest possible privileges to limit an attacker's capabilities post-exploitation.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the potential for a remote, unauthenticated attacker to achieve full system compromise, this vulnerability represents a severe and immediate threat to the organization. We strongly recommend that all affected Adobe Commerce instances be patched immediately, without delay. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion. Organizations should treat this vulnerability with the highest priority and assume active exploitation is imminent.