On April 14 2017, Threatpost reported a story about a remote code execution vulnerability with Magento 2 Enterprise and Community software…

Magento quickly issued a statement saying it is committed to delivering superior security to clients and has been actively investigating the root cause of the reported issue.  We, nor Magento are aware of any attacks in the wild.  Administrator access is required to execute the exploit, so as always, we encourage you to follow best practices to keep your Admin account secure.

It seems, this new vulnerability will be addressed in the next release of Magento 2 targeted for early May 2017.  Until then, we recommend enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks.

To turn on this feature:

1. Logon to Merchant Site Admin URL (e.g., your domain.com/admin)
2. Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs
3. Select YES from the dropdown options
4. Click on Save Config


Where can I find more information?

For more information about the issue, you can go to Threatpost and DefenseCode.

We will provide additional information about the security update as we get closer to the release date, once this information is available from Magento.

Customers who are already hosted with us will automatically receive the update.  Look out for notifications of any expected outage at your store.  If you haven’t heard from us yet and think you might be affected, please contact us.


Note: This update was launched in May 2017 and may no longer affect fresh installations of Magento 2.