Safeguard
Vulnerability Analysis

CVE analysis: Magecart and e-commerce JavaScript supply c...

A Magecart supply chain attack analysis of the CVEs and exploit chains behind skimmer campaigns on Adobe Commerce and Magento, plus how to defend checkout pages.

Vikram Iyer
Security Researcher
Updated 9 min read

Magecart is not a single vulnerability — it's a decade-long campaign of e-commerce script injection attacks that has turned checkout pages into the most contested real estate in the software supply chain. This Magecart supply chain attack analysis focuses on two of the vulnerabilities that did the most damage to that ecosystem: CVE-2022-24086 and CVE-2024-34102, both critical, unauthenticated remote code execution bugs in Adobe Commerce and Magento Open Source that attackers weaponized within hours of disclosure to plant JavaScript skimmers on thousands of storefronts. These javascript exploits are especially dangerous because they run inside a customer's browser, invisible to server-side defenses that never inspect what a page's own scripts are doing. Together they show how a single web skimming CVE can cascade into millions of stolen card numbers, and why the fix is never just "patch and move on."

Magecart Supply Chain Attack Analysis: The Vulnerabilities Behind the Skimmers

"Magecart" is the umbrella name researchers at RiskIQ gave in 2016 to a loose collection of threat actor groups (later cataloged as Magecart Groups 1 through 12+) that inject digital skimming code into online storefronts to harvest payment card data at the point of entry. The technique itself is simple: get a few lines of malicious JavaScript to execute on a checkout or payment page, have it read form fields as the shopper types, and exfiltrate the data to an attacker-controlled server before the transaction ever completes. The hard part — and the part this analysis is really about — is how that JavaScript gets onto the page in the first place.

Two vulnerability classes dominate: direct exploitation of the CMS or e-commerce platform, and compromise of a third-party script or extension that the storefront trusts. Adobe Commerce and Magento Open Source, which together power a large share of the mid-market e-commerce world, have been the most consistent target for the first category. CVE-2022-24086 is an improper input validation flaw in the checkout process that allows an unauthenticated attacker to achieve arbitrary code execution simply by submitting crafted data during order placement — no account, no admin access, no user interaction required. CVE-2024-34102, dubbed "CosmicSting" by researchers at Sansec who discovered it, is an XML External Entity (XXE) injection vulnerability that, when chained with a separate glibc/iconv flaw (CVE-2024-2961) affecting PHP's filter-chain functionality, gives an unauthenticated attacker a path to read arbitrary files, steal encryption keys, and ultimately execute code on the server. Both bugs turn a storefront into a delivery mechanism for skimmer payloads without the attacker ever needing stolen credentials.

Affected Versions and Components

CVE-2022-24086 affects Adobe Commerce and Magento Open Source 2.4.3-p1 and earlier, including the long-supported 2.3 branch. Adobe shipped an emergency, out-of-cycle patch (APSB22-12) in February 2022 because the vulnerability was already being exploited in the wild before a fix was broadly available.

CVE-2024-34102 affects a much larger swath of the installed base. Sansec estimated at disclosure that roughly three-quarters of Magento and Adobe Commerce stores were vulnerable to CosmicSting, spanning the 2.4.x line up through the versions current at the time. Adobe addressed it in June 2024 via advisory APSB24-40, alongside guidance to also rotate cryptographic keys — because the XXE flaw could be used to read the encryption key file itself, meaning a simple code patch wasn't sufficient remediation on its own for stores that had already been probed.

In both cases, the "affected component" isn't really the storefront's own code — it's the shared platform and its dependency chain, which is exactly why these are supply chain vulnerabilities rather than one-off application bugs. A single flaw in the underlying commerce platform simultaneously exposes every store built on it, and a single successful exploit can be templated and fired at every other unpatched instance found through mass scanning.

CVSS, EPSS, and KEV Context

Both CVE-2022-24086 and CVE-2024-34102 carry a CVSS 3.1 base score of 9.8 (Critical) — network-exploitable, no privileges required, no user interaction, with high impact to confidentiality, integrity, and availability. That combination is exactly what makes a bug attractive for skimmer campaigns: an attacker doesn't need phishing, credential theft, or a foothold anywhere else. They need only a reachable, unpatched storefront.

CVE-2022-24086 was added to CISA's Known Exploited Vulnerabilities (KEV) catalog shortly after disclosure, reflecting confirmed in-the-wild exploitation — Sansec reported observing exploitation attempts within hours of the advisory going public, well before most merchants had a chance to patch. CosmicSting followed a similar pattern: mass scanning and exploitation attempts were observed industry-wide within about a day of disclosure, and the vulnerability was subsequently flagged given its active exploitation. Precise, universally agreed EPSS percentiles shift over time as scoring models are retrained, but the durable signal from both vulnerabilities is the same: critical, unauthenticated, internet-facing RCE in a widely deployed e-commerce platform gets weaponized fast, often faster than typical enterprise patch cycles can move.

Timeline: From Group-Based Skimming to CosmicSting

The Magecart phenomenon predates either of these specific CVEs by years, and the timeline matters because it explains why the pattern keeps repeating.

  • 2015–2016: RiskIQ researchers begin tracking coordinated card-skimming JavaScript campaigns against Magento-based stores and coin the "Magecart" name.
  • 2018: The breakout year. Ticketmaster disclosed a breach traced to a compromised third-party chatbot script (from vendor Inbenta) running on its payments page — a textbook e-commerce script injection attack via a trusted supplier rather than the retailer's own code. Months later, British Airways disclosed that Magecart Group 6 had modified a Modernizr JavaScript library on its site to skim card data from roughly 380,000 transactions over about two weeks, a breach that remains one of the most cited digital skimming case studies in the industry and drew a record UK data protection fine. Newegg suffered a comparable compromise around the same time.
  • 2019–2020: Security researchers (notably RiskIQ and Trend Micro's "Inside Magecart" work) formally catalog more than a dozen distinct Magecart groups with differing tooling and targeting. Magento 1 reaches end-of-life in June 2020, and stores that never migrated to Magento 2 become a long-tail target for skimmer operators exploiting unpatched, unsupported code.
  • February 2022: CVE-2022-24086 is disclosed and patched out-of-band; Sansec documents mass exploitation attempts beginning within hours, many aimed at deploying skimmers or backdoors for later skimmer deployment.
  • June 2024: CVE-2024-34102 ("CosmicSting"), chained with CVE-2024-2961, is disclosed and patched; researchers again observe rapid, widespread scanning and exploitation against the large pool of vulnerable stores before patches were universally applied.

The through-line across nearly a decade is consistent: Magecart operators don't need novel techniques so much as a steady supply of exploitable entry points — whether that's a platform CVE, an outdated extension, or a compromised third-party tag — into pages that process payment data.

Remediation Steps

  • Patch immediately, not eventually. Apply Adobe's APSB22-12 and APSB24-40 updates (and any subsequent cumulative patches) for your specific Adobe Commerce or Magento Open Source version. Given how quickly both CVEs were exploited after disclosure, treat critical Magento/Adobe Commerce advisories as emergency-change events, not routine maintenance.
  • Rotate secrets after CosmicSting exposure. Because CVE-2024-34102 could expose the encryption key file, patching the code alone does not remediate a store that was already probed or compromised — rotate the Magento encryption key and any dependent credentials per Adobe's guidance.
  • Inventory and audit third-party scripts. Ticketmaster's breach came through a vendor's chatbot code, not Ticketmaster's own application. Maintain an allowlist of scripts permitted to run on checkout and payment pages, and monitor for unauthorized changes to any JavaScript that executes there — including tag manager configurations, which are themselves a common injection vector.
  • Retire unsupported platforms. Magento 1 stores past end-of-life should migrate; there is no vendor patch coming for future flaws discovered on that codebase.
  • Deploy client-side integrity monitoring. Because the entire attack lives in JavaScript executing in the customer's browser, server-side controls alone won't catch it — subresource integrity, Content Security Policy with strict script-src directives, and continuous monitoring of what actually executes on checkout pages are necessary layers.
  • Assume scanning is constant. Both CVEs saw internet-wide scanning within a day of disclosure. Web application firewalls tuned to known exploit signatures buy time, but they are a stopgap, not a substitute for patching.

How Safeguard Helps

Magecart's defining trait is that the malicious code runs where traditional server-side security tooling doesn't look: inside the browser, inside a script your team may not have written and may not even know is loading. Safeguard is built for exactly that blind spot in the software supply chain, detecting the same javascript exploits that skimmer payloads have relied on for a decade. We continuously monitor first-party and third-party JavaScript running on checkout and payment pages, baseline expected script behavior, and alert on unauthorized changes or newly introduced data-exfiltration patterns — the same signature that every Magecart case study, from Ticketmaster to CosmicSting, shares in common.

On the platform side, Safeguard correlates your Adobe Commerce, Magento, or other e-commerce stack against known CVEs like CVE-2022-24086 and CVE-2024-34102, flags unpatched instances before they show up in mass-scanning campaigns, and tracks the dependency and extension supply chain that so often introduces risk outside the core platform's own code. Instead of learning about a web skimming CVE from a breach notification, Safeguard customers get the same signal attackers already have — reachable, unpatched, exploitable — routed to their security team first.

Pairing continuous script-integrity monitoring with proactive vulnerability and dependency tracking closes the two doors Magecart groups have relied on for a decade: the platform bug, and the trusted-but-unverified script. That combination is what turns a Magecart supply chain attack analysis from a post-breach exercise into a preventable outcome.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.