Skip to content

Magento Security Advisory: CVE-2016-4010

An exploit targeting a critical vulnerability (CVE-2016-4010) which is affecting all Magento Versions up to and including 2.0.6 was published on May 18th 2016. The sole prerequisite for a site to be vulnerable is to allow guest checkout, i.e. shopping by customers without an account on the site.


Magento has not published a patch yet.

More specifically, the vulnerable component is the Guest Carts REST API endpoint. This endpoint does not validate JSON input properly, allowing an attacker to upload arbitrary PHP code in serialized form. The exploit demonstrates this by uploading code which replaces the Magento REDIS I/O layer with malware that records all payment transaction details into an arbitrary file, transparently to the rest of the application.

The exploit does not require a valid login. It only requires a syntactically correct e-mail address, and a guest cart ID which can be readily obtained by visiting the target site and attempting to shop something as guest. Furthermore, it cannot be concluded whether a site has been compromised purely by inspecting its logs, as the malicious payload is delivered with the request POST data, outside the scope of server logging.

If you're a current FGX-Web WAF user, it is capable of detecting and blocking CVE-2016-4010 exploit attempts, protecting you from this vulnerability. To ensure you are protected, please go to “Management > WAF Configuration > Rule Configuration” into your dashboard, and ensure either one of “Local File Inclusion” or “Magento” rulesets is configured to “Block the Attack”.

If you're unsure about how to secure your website, here is a short eBook - 7 Tips to Secure Your Website.  Keep it simple.

eBook - 7 Expert Tips to Secure Your Website