June 2024: CosmicSting Critical Alert

June 2024 brought an urgent security event: CVE-2024-34102, widely known as CosmicSting. The vulnerability allowed unauthenticated XML External Entity (XXE) injection in specific endpoints and was actively exploited in the wild. Adobe responded with fixes in the 11 June 2024 security patches, followed by an isolated patch on 28 June for stores unable to take the full line updates immediately.

What we observed across the ecosystem was not sophisticated zero-day chaining so much as operational gaps: unpatched stores, overly-permissive credentials, and insufficient monitoring. Where attackers gained a foothold, we often found webshells dropped into writable paths (pub/media, var), unexpected admin users, and outbound connections to unfamiliar hosts.

Our guidance to clients centred on two streams: immediate containment and structural hardening. Containment meant patching quickly (latest 2.4.7/2.4.6 p-lines, or the isolated fix), resetting and rotating all keys (API, webhooks, service accounts, CI/CD), and auditing admin users and access logs. We also advised file integrity checks to detect webshells and unexpected changes; on cloud, we coordinated with support to scan images and review WAF logs for indicators of compromise.

Structural hardening focused on reducing blast radius. Principle of least privilege for service accounts, CIDR-restricted admin access, mandatory 2FA, and secrets kept out of repos are the basics. We also encouraged teams to enable CSP reporting, monitor unusual GraphQL patterns, and add egress filtering where feasible to block command-and-control callbacks.

Recommended steps:

• Patch now to current p-lines or apply Adobe's isolated patch; verify the build artifact includes the fix.
• Rotate keys and secrets: payment gateways, shipping, tax, search, webhooks, and CI/CD tokens.
• Audit admin users and permissions; remove stale accounts; enforce 2FA.
• Scan for webshells and unexpected file changes in pub/media and var; review web server logs for suspicious requests.
• Harden the perimeter: enable/adjust WAF rules; tighten CSP; restrict admin by IP; add egress controls.

For multi-brand estates, roll out in waves with monitoring checkpoints between each wave. CosmicSting is a reminder that disciplined patching and access hygiene beat most opportunistic attacks.