Security Update for Potential Vulnerability in Magento Admin URL location

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to compromise directly, knowing the URL location could make it easier to automate attacks.

We are aware of similar attacks using these methods. To best protect your store, Magento has released patches and recommends additional security steps to protect your store.

Affected versions

This issue affects Magento Open Source and Magento Commerce (on-premise and cloud) for 2.1.x, 2.2.x, and 2.3.x. Magento 1 merchants are not affected.

Install the patch

To help prevent against potential attacks associated with these types of issues, update your Magento installations with a new patch. For complete details and instructions, see KB Magento Admin URL location disclosed.

Protect your store

To help prevent against potential attacks associated with these types of issues, Magento strongly recommends that merchants deploy tools to secure their admin panel, including two-factor authentication, VPN, IP whitelisting and more.

For detailed information, see the following blogs and documentation:

• 5 Immediate Actions to Protect Against Brute Force Attacks

• Protect Your Magento Installation Password Guessing New Update

• Security Best Practices

• Adding and Configuring Two-Factor Authentication in Magento for 2.1.x, 2.2.x, and 2.3.x