How to Fix CVE-2024-34102: Adobe Commerce CosmicSting XXE to RCE

*By Sai Kiran Pandrala*

⚠️ One of the most-exploited e-commerce CVEs of 2024. If your Adobe Commerce / Magento store was unpatched between June 2024 and your patch date, assume compromise. Card-skimmer plants and credential theft are widespread.

What is CVE-2024-34102?

CVE-2024-34102, known publicly as CosmicSting, is an XML External Entity (XXE) vulnerability in Adobe Commerce's REST API. An unauthenticated attacker sends a crafted XML payload to the API; the parser resolves external entities and the attacker can read arbitrary files from the Magento server, including the app/etc/env.php configuration file containing the encryption key.

That alone is bad. The attack chain that made it catastrophic: with the leaked encryption key, attackers forge an admin JWT (JSON Web Token) and authenticate as a real admin, full takeover. From there: install a malicious customizer module that injects a card-skimmer into the checkout page (a "Magecart" attack), exfiltrate the customer database, modify product pricing.

Sansec's research estimated that ~75% of unpatched Adobe Commerce stores were compromised within days of public PoC release. The fix shipped in June 2024.

Am I affected?

You are affected if you run Adobe Commerce or Magento Open Source at any version below the patched build:

• 2.4.7 train: below 2.4.7-p1
• 2.4.6 train: below 2.4.6-p6
• 2.4.5 train: below 2.4.5-p8
• 2.4.4 train: below 2.4.4-p9

To check your version:

php bin/magento --version

Or in the admin: System → Magento Admin → Software Version Information.

How to fix CVE-2024-34102

1. Open Adobe security bulletin APSB24-40 linked below for the exact patch matrix.
2. Download the patch composer module from your Adobe Commerce account or Magento marketplace.
3. Back up the entire Magento installation and database before patching:

# Vendor advisory: https://helpx.adobe.com/security/products/magento/apsb24-40.html
   php bin/magento setup:backup --code --media --db
   mysqldump -u <user> -p <db> > magento-backup-$(date +%F).sql

1. Apply the patch via Composer (recommended):

   composer require magento/product-community-edition=2.4.7-p1 --no-update
   composer update
   php bin/magento setup:upgrade
   php bin/magento setup:di:compile
   php bin/magento setup:static-content:deploy -f
   php bin/magento cache:clean

1. CRITICAL — rotate the encryption key after patching. The pre-patch key may have been leaked:

   php bin/magento setup:config:set --key=$(openssl rand -hex 16)

This invalidates any forged JWTs the attacker may have created.

Cosmic Sting cleanup

The patch alone is not enough if the store was compromised:

• Audit admin users. Look for accounts created during the unpatched window. Investigate any user with admin privileges you don't recognize.
• Audit installed modules. Search app/code/ and vendor/ for unexpected modules. Common malicious modules during the CosmicSting wave: any module modifying checkout templates or injecting JavaScript.
• Scan for skimmers. Inspect every theme template, layout XML, and JavaScript file modified after June 2024. The Sansec research includes specific IoC indicators.
• Check var/log/ and webserver access logs for the XXE exploitation pattern: POST to /rest/V1/guest-carts/*/coupons with XML content type.
• If skimmers are found, notify affected customers per your jurisdiction's breach-disclosure requirements. Card data exposure has reporting obligations under PCI DSS and various regional privacy laws.

If you can't patch immediately

Adobe and Sansec recommend a Web Application Firewall rule that blocks application/xml content-type on the affected REST endpoints. This is bridge mitigation only, the patch is the only remediation.

If your Adobe Commerce store is internet-facing and you can't patch in the next 24 hours, the credible options are: take the store into maintenance mode, or deploy the WAF rule and double monitoring while you finish the patch.

How to verify the fix worked

1. php bin/magento --version shows the patched build.
2. Cosmic Sting test: attempt the XXE PoC against your store from an external host. Expect HTTP 400 or 403, not a successful file read.
3. Run a security scanner (MageReport, Sansec eComscan), CVE-2024-34102 detection should clear.
4. Confirm encryption key rotation worked by checking app/etc/env.php for the new key.

Frequently asked questions

Is CVE-2024-34102 actively exploited?

Yes. CVE-2024-34102 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2024-34102?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://helpx.adobe.com/security/products/magento/apsb24-40.html

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

• Official Adobe security bulletin APSB24-40: https://helpx.adobe.com/security/products/magento/apsb24-40.html
• Sansec CosmicSting research: https://sansec.io/research/cosmicsting
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34102
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from Adobe security bulletin APSB24-40, Sansec research, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Adobe's bulletin before applying changes in production.*

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2024-41874: ColdFusion (Bundle Sibling) — ColdFusion (Bundle Sibling)
• How to Fix CVE-2024-30299: Privilege Escalation in Adobe Framemaker Publishing Server , Privilege Escalation in Adobe Framemaker Publishing Server
• How to Fix CVE-2024-30300: Adobe Framemaker Publishing Server (Bundle Sibling) , Adobe Framemaker Publishing Server (Bundle Sibling)
• How to Fix CVE-2024-45115: Improper Authentication in Adobe Commerce , Improper Authentication in Adobe Commerce
• How to Fix CVE-2024-20738: Adobe Framemaker Publishing Server (Bundle Sibling) , Adobe Framemaker Publishing Server (Bundle Sibling)