Adobe’s content management system includes a flaw that affects Mastercard, LinkedIn and Sony’s PlayStation customers, according to Threat Post.
The vulnerability, that was patched in May, allowed hackers to gain access to passwords and remotely execute code on vulnerable AEM installations. It was discovered that Adobe’s content management system, Adobe Experience Manager (AEM), contained a zero-day vulnerability that may have affected customers as diverse as MasterCard, LinkedIn, and PlayStation.
The bug was identified by ethical hackers with the help of Detectify Crowdsource and it seems to affect the CRX Package Manager component of Adobe’s AEM. More precisely, Ai Ho and Bao Bui are the original discoverers of the vulnerability in December 2020, while working on a project using AEM for Sony Interactive Entertainment’s PlayStation division at the time.
Three months later, the AEM CRX bypass was discovered on many subdomains within the Mastercard organization. Both Sony and Mastercard were aware of the bugs at the time of the incident. “Packages enable the importing and exporting of repository content, and the Package Manager can be used for configuring, building, downloading, installing and deleting packages on local AEM installations”.
Adobe’s content management system exposes its users to new security risks
Researchers said in a blog post “This bug allows attackers to bypass authentication and gain access to CRX Package Manager”. Following extensive testing and validation by Detectify, Adobe was alerted of the problem on March 25. Earlier this month, Adobe announced a fix for their AEM program.
According to experts, all it take for a malicious remote code execution is for an attacker to infiltrate a system running Adobe’s AEM. Once inside, he simply uploads a malicious package to the CRX Package Manager and use it to gain full control of the application.
Because of its widespread use, Adobe is one of the leading targets for cyber attackers. Beyond Acrobat, the software provider also develops engines for various online-facing applications and websites. Adobe was only second to Microsoft in a recent analysis of the most popular exploits marketed in cybercriminal forums.