Yesterday, Threatpost reported a story about a remote code execution vulnerability with Magento 2 Enterprise and Community software.
Magento is committed to delivering superior security to clients and has been actively investigating the root cause of the reported issue. They are not aware of any attacks in the wild. Admin access is required to execute the exploit, so as always, they encourage you to follow best practices to keep your Admin secure.
In addition, this vulnerability will be addressed in our next release targeted for early May. Until then, Magento recommends enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks. To turn on this feature:
- Logon to Merchant Site Admin URL (e.g., your domain.com/admin)
- Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs
- Select YES from the dropdown options
- Click on Save Config
For more information about the issue, you can go to Threatpost and DefenseCode. Magento will provide additional information about the security update as they get closer to the release date. If you have questions, please feel free to reach out to Magento at firstname.lastname@example.org. In addition, please visit the Magento Security Center to stay up-to-date on best practices, security releases, and potential vulnerabilities.