Earlier this week, Adobe identified RCE vulnerability in both commerce and open source editions and released a security patch APSB22-12 marked as Critical Priority to be installed immediately.

What this means is if you are running your website on Adobe Commerce (2.3.3-p1-2.3.7-p2) or Magento Open Source (2.4.0-2.4.3-p1), then your website is at high risk and needs to be patched immediately.

There are two security patches to fix the potential vulnerability and you can download them from https://support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12- for your respective Magento versions.

Use the following attached patches, depending on your Adobe Commerce version:

2.4.3 – 2.4.3-p1:

2.3.4-p2 – 2.4.2-p2:

2.3.3-p1 – 2.3.4:

In order to stay up to date with the latest protections, you will need to apply two patches: MDVA-43395 patch first, and then MDVA-43443 on top of it.

The patches affect the following files:

./vendor/magento/framework/Filter/DirectiveProcessor/VarDirective.php
./vendor/magento/module-email/Model/Template/Filter.php
./vendor/magento/framework/Filter/DirectiveProcessor/DependDirective.php
./vendor/magento/framework/Filter/DirectiveProcessor/ForDirective.php
./vendor/magento/framework/Filter/DirectiveProcessor/IfDirective.php
./vendor/magento/framework/Filter/DirectiveProcessor/SimpleDirective.php
./vendor/magento/framework/Filter/DirectiveProcessor/VarDirective.php

How to apply a Magento Patch?

Once you have downloaded the appropriate patches, you can create a new directory called i.e. ./patches in your Magento root, upload patch files and run the following commands:

patch -p1 < patches/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch

patch -p1 < patches/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch