On April 14 2017, Threatpost reported a story about a remote code execution vulnerability with Magento 2 Enterprise and Community software…
Magento quickly issued a statement saying it is committed to delivering superior security to clients and has been actively investigating the root cause of the reported issue. We, nor Magento are aware of any attacks in the wild. Administrator access is required to execute the exploit, so as always, we encourage you to follow best practices to keep your Admin account secure.
It seems, this new vulnerability will be addressed in the next release of Magento 2 targeted for early May 2017. Until then, we recommend enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks. To turn on this feature:
1. Logon to Merchant Site Admin URL (e.g., your domain.com/admin)
2. Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs
3. Select YES from the dropdown options
4. Click on Save Config
For more information about the issue, you can go to Threatpost and DefenseCode.
We will provide additional information about the security update as we get closer to the release date, once this information is available from Magento.