Magento Commerce - RCE (CVE-2022-24086)

CVE-2022-24086 is a critical improper input validation vulnerability in Adobe Commerce (Magento Commerce) that affects the checkout process. This flaw allows remote attackers to execute arbitrary code on the server without requiring any user interaction, potentially leading to full system compromise and enabling a range of attacks such as data theft, site defacement, or malware deployment.

CrowdSec has been tracking this vulnerability and its exploits since 29th of October 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2022-24086 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2022-24086 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2022-24086 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit the Adobe Commerce (Magento) checkout and payment API endpoints, particularly targeting /rest/default/V1/guest-carts/<entity_id>/shipping-information and /rest/default/V1/guest-carts/<entity_id>/payment-information, injecting malicious payloads in JSON fields to achieve remote code execution. These attempts often include suspicious template filter expressions or system command patterns within the firstname or lastname fields.