30 June 21, 11:06
Quote:Details of an Adobe zero-day bug found in its content-management solution Adobe Experience Manager (AEM), which affected customers ranging from Mastercard, LinkedIn and PlayStation, were revealed Monday.
The bug, patched in May, allowed hackers to bypass authentication protection and execute code remotely on vulnerable AEM installs.
Researchers in the ethical-hacking community Detectify Crowdsource identified the flaw in the CRX Package Manager component of Adobe’s AEM. AEM is an enterprise-class tool for creating and managing websites, mobile apps and online forums.
“This bug allows attackers to bypass authentication and gain access to CRX Package Manager,” researchers wrote in a blog post about the vulnerability published Monday. “Packages enable the importing and exporting of repository content, and the Package Manager can be used for configuring, building, downloading, installing and deleting packages on local AEM installations.”
Detectify Crowdsource members, identified as Ai Ho and Bao Bui, first discovered the vulnerability in December 2020 in an instance of AEM used by Sony Interactive Entertainment’s PlayStation subsidiary. Three months later, the AEM CRX bypass was also identified within multiple subdomains used by Mastercard. Both Sony and Mastercard were notified of the bugs at the time.
It wasn’t until a series of tests and validation of the flaw by Detectify that Adobe was notified of the bug on March 25. On May 6, Adobe issued a patch for its AEM platform.
According to researchers, if the vulnerability is left unpatched, attackers can easily access the CRX Package Manager to upload a malicious package within the context of Adobe’s AEM solution and execute a remote-code execution attack to “gain full control of the application,” researchers observed.
Read more: Details of RCE Bug in Adobe Experience Manager Revealed | Threatpost