Critical CosmicSting Vulnerability (CVE-2024-34102) Exposes Thousands of Unpatched E-commerce Stores

Executive Summary

A critical vulnerability identified as CVE-2024-34102, and nicknamed "CosmicSting," poses a severe and immediate threat to e-commerce websites running on Adobe Commerce and Magento platforms. The vulnerability, an XML External Entity (XXE) injection flaw, carries a CVSS score of 9.8 (Critical) and can be exploited by an unauthenticated remote attacker to read sensitive files from the server. Security researchers at Sansec have warned that when this flaw is chained with CVE-2024-2961, a bug in the GNU C Library, it leads to full Remote Code Execution (RCE). Despite patches being available since early June 2024, an estimated 75% of vulnerable sites remain unpatched, creating a massive attack surface for threat actors. Organizations using these platforms are urged to patch immediately or apply emergency mitigations to prevent server compromise, data theft, and financial fraud.

---

Vulnerability Details

CVE-2024-34102 is an Improper Restriction of XML External Entity Reference vulnerability. The flaw exists in how the platforms process XML input. An unauthenticated attacker can send a specially crafted HTTP request to a vulnerable endpoint, tricking the XML parser into accessing arbitrary files on the server's filesystem. This allows the exfiltration of sensitive information, such as database credentials, API keys, and server configuration files.

The threat is significantly amplified when combined with CVE-2024-2961, a vulnerability in the iconv() function of the GNU C Library. Chaining these two vulnerabilities allows an attacker to escalate the XXE information disclosure into full-blown RCE. This gives the attacker complete control over the compromised server, enabling them to install backdoors, deploy malware like payment skimmers, or use the server as a pivot point for further attacks within the network.

Affected Systems

The vulnerability impacts a wide range of Adobe and Magento products. Administrators should assume they are vulnerable if running any of the following versions or earlier:

• Adobe Commerce: 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
• Adobe Commerce Extended Support: 2.4.3-ext-7
• Magento Open Source: 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
• Adobe Commerce Webhooks Plugin: versions 1.2.0 to 1.4.0

According to research from Sansec, an alarming 75% of sites running these versions had not applied the security patches as of June 20, 2024.

Exploitation Status

While widespread, in-the-wild exploitation has not been publicly confirmed, the security firm Sansec has developed a working proof-of-concept (PoC) exploit. The public disclosure of the vulnerability details and the simplicity of the attack vector make it highly likely that threat actors are actively developing or have already developed their own exploits. The fact that the attack can be automated means that mass scanning and exploitation campaigns are a significant and imminent threat. CISA has also added CVE-2024-34102 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation.

Impact Assessment

The business impact of a successful CosmicSting exploit is catastrophic. With RCE, attackers can:

• Steal Sensitive Data: Exfiltrate customer Personally Identifiable Information (PII), payment card data, and intellectual property.
• Install Payment Skimmers: Inject malicious JavaScript (Magecart-style attacks) to steal credit card information in real-time as customers make purchases.
• Disrupt Operations: Take the e-commerce site offline, causing significant revenue loss and reputational damage.
• Establish Persistence: Install backdoors or webshells to maintain long-term access to the server for future malicious activities.

For a typical e-commerce business, a breach of this nature could lead to millions in losses from fraud, regulatory fines (e.g., GDPR, CCPA), incident response costs, and brand damage.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Security teams should monitor web server and application logs for unusual XML-related requests or error messages. Specifically, look for:

• Inbound requests to API or feed endpoints containing XML data with <!DOCTYPE or SYSTEM declarations.
• Out-of-band network connections originating from the web server to external hosts, which could indicate XXE-based data exfiltration.
• Modifications to core application files, particularly app/bootstrap.php, which could indicate an attempted or successful compromise.
• Suspicious outbound traffic patterns that could signify data exfiltration or C2 communication from a webshell.

Detection Methods

Detection of exploitation attempts can be achieved through a multi-layered approach:

1. Web Application Firewall (WAF): Implement and configure WAF rules to inspect and block malicious XML payloads containing external entity declarations. Many commercial WAFs have signatures for common XXE attacks.
2. Log Analysis: Actively monitor web server access logs and application error logs for patterns indicative of XXE probes. Use a SIEM to correlate these events and alert on suspicious activity. This can be supported by D3FEND's URL Analysis.
3. File Integrity Monitoring (FIM): Deploy FIM on critical application files, including app/bootstrap.php and other core Magento/Adobe Commerce files. Alerts on unexpected changes can be an early indicator of compromise.
4. Network Traffic Analysis: Monitor for anomalous outbound connections from web servers. E-commerce servers should generally not be initiating connections to arbitrary external IP addresses. This aligns with D3FEND's Network Traffic Analysis technique.

Remediation Steps

Immediate action is required to mitigate the risk posed by CosmicSting.

1. Patch Immediately: The highest priority is to apply the security patches released by Adobe. This is the only way to fully remediate the vulnerability. Refer to the official Adobe Security Bulletin APSB24-34 for the correct patch for your version.
2. Emergency Mitigation: If patching is not immediately possible, Sansec recommends a temporary fix by adding the following code snippet to the top of the app/bootstrap.php file:

   if (isset($_REQUEST['xml'])) {
       http_response_code(400);
       exit('Request blocked.');
   }
   

   Warning: This is a temporary workaround and may not block all attack vectors. It should not be considered a substitute for applying the official patch.

3. Virtual Patching: Use a WAF to create virtual patches that block requests matching the attack signature. This can provide a layer of defense while the official patch is being tested and deployed.
4. Review and Harden: After patching, conduct a full security review of the server. Check for any signs of compromise, such as unauthorized files, suspicious processes, or outbound network connections. This aligns with D3FEND's Application Hardening countermeasures.