Critical Security Advisory: Remote Code Execution (RCE) Vulnerability
April 24, 2015
As we have previously shared, a critical security flaw was identified in the Magento platform that potentially allows unauthorized access to a Magento store. While a large number of merchants have successfully downloaded the patch, many of you still have not done so.
The remote code execution (RCE) vulnerability was reported to us by Check Point Software Technologies. It affects both Magento Enterprise Edition and Magento Community Edition and allows attackers to obtain control over a store and its sensitive data, including personal customer information.
On February 9, we released the SUPEE-5344 security patch and recommended merchants implement the patch as soon as possible. On April 16, we again reminded merchants and partners to implement the patch to protect their sites from this security risk before the issue was made public and the risk of attack was elevated. On April 20 and April 22, Check Point publicized the security risk, including technical details about how to uncover the vulnerability.
Important Steps to Secure Your Magento Store
With the visibility of this issue, we strongly urge you to immediately implement the SUPEE-5344 security patch, if you have not done so already. We also issued a patch for a separate remote code execution issue in October 2014 (SUPEE-1533) and we recommend that you install that patch at the same time, if it is not currently in place.
For Enterprise Edition merchants, the patches can be found in the Magento Support Portal.
For Community Edition merchants, the patches can be found on the Magento Community Edition download page.
Additional information about this issue is available on a special security patch page.