CVE-2024-20720: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command Injection vulnerability (CVE-2024-20720). This critical vulnerability has a CVSS score of 9.1 and could lead to arbitrary code execution by an attacker. The vulnerability was discovered in February 2024, and notably, exploitation of this issue does not require user interaction (NVD, CVE).

The vulnerability is classified as an OS Command Injection (CWE-78) that allows attackers to execute arbitrary system commands. Attackers have been observed combining the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands. The exploitation occurs when the /checkout/cart path is accessed, triggering malicious commands through the layout_update database table (SANSEC).

When successfully exploited, the vulnerability enables attackers to achieve arbitrary code execution on affected systems. In observed attacks, threat actors have used this vulnerability to implement persistent backdoors and deploy payment skimmers for data exfiltration. The vulnerability has been actively exploited to inject malware that automatically reinfects systems even after manual fixes (SANSEC, SOCRadar).

Organizations are strongly advised to upgrade to Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, or 2.4.4-p7 to mitigate this vulnerability. Additionally, it is recommended to run security scans to detect any potential backdoors or compromises in the system (SANSEC).

CISA has highlighted this vulnerability in their alerts, emphasizing the critical nature of the security updates. The security community has been actively tracking its exploitation, with researchers from Sansec being the first to document actual abuse of the vulnerability in the wild (SOCRadar).