If you are running your store on Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), then your store is at high risk!
A zero-day bug is being exploited in the above-mentioned versions of Magento in the wild by the attackers, which has forced Adobe to roll out emergency security patches to secure the stores.
The detected RCE bug can allow the attackers to execute arbitrary codes on the stores and harm them. Here is how you can secure your online Magento store from the Adobe RCE bug.
The latest security update (APSB25-50) by Adobe was released on June 10, 2025. You can apply the patches VULN-31609_2.4.X & VULN-31547_2.4.8 patches to fix it.Critical RME Bug Discovered in Adobe Commerce & Magento Open Source
On Sunday, Feb 13, 2022, Adobe released an emergency security patch – MDVA-43395 for the Magento stores to fix the newly discovered RCE bug in the Adobe Commerce and Magento Open Source. “These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution,” mentioned the Adobe security bulletin – APSB22-12.
Common Vulnerabilities and Exposures (CVE) database that manages the public security flaws, assigned CVE-2022-24086 as the tracking id to the vulnerability. CVSS declared the vulnerability to be critical and rated it 9.8/10, which needs to be fixed immediately.
On Feb 17, 2022, Abobe released another security patch – MDVA-43443 to fix the security vulnerability in the affected versions and updated the security tracking ID to CVE-2022-24087, with updated details and information on the improper input validation vulnerability. “In order to stay up to date with the latest protections, customers must apply two patches: MDVA-43395 patch first, and then MDVA-43443 on top of it,” declared Adobe.
Adobe Released MDVA-43395 & MDVA-43443 Security Patches to Fix the Vulnerability
Adobe released the following patches for the affected versions of Adobe commerce & Magento open source:
| Product | Updated Version |
| Adobe Commerce 2.4.3 – 2.4.3-p1 | MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip |
| Magento Open Source 2.4.3 – 2.4.3-p1 | MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_v1.patch.zip |
| Adobe Commerce 2.3.4-p2 – 2.4.2-p2 | MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip |
| Adobe Commerce 2.3.3-p1 – 2.3.4 | MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip |
| Magento Open Source 2.3.3-p1 – 2.3.4 | MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.3.4_v1.patch.zip |
The RCE vulnerability is highly critical and serious enough to force Adobe to warrant an immediate security patch. Thus, Meetanshi recommends patching the Magento stores with the latest Adobe security patch to build a solid security shield against the known security loophole.
You can use learn to install Magento 2 security patches to learn installing security patches on your Magento platform and safeguard your store against any such security vulnerabilities.
