Act now: Critical unauthenticated vulnerability in Magento’s API
Magento has issued a critical alert this week regarding a critical vulnerability in Magento server. The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code using Magento’s API without providing any valid authentication credential. Magento is an extremely popular eCommerce platform with a 30% share in the eCommerce market and its vulnerabilities have a track record of being wildly exploited by criminals.
A successful exploit needs one of the remote procedure call interfaces (either REST or SOAP) to be enabled, however, both are enabled by default — actually it is mandatory that you have at least one of them enabled. This vulnerability works on both the Community Edition and Enterprise Edition of the system, which means that if you are running an old version of Magento, you are vulnerable to this attack.
N-Stalker Free or Commercial Edition will assist you to assess your Magento’s installation. Download it now.