Quick in a Crisis: The Magento CVE-2022-24086 Story

Find out how Classy Llama’s rapid response to security threats keeps client data safe

Mondays are bad enough on their own but imagine this: you barely have a sip of your Monday morning coffee before suddenly being confronted with an intense security threat on the majority of your clients’ websites.

Unfortunately, that kind of Monday is all too likely for Classy Llama’s team. When it happened recently, they knew it was up to them to put the coffee down and get to work doing whatever they needed to in order to protect our clients from the security risk. 

eCommerce Security: More precarious every day

In a world where cyber-attacks are more and more common, it’s crucial for eCommerce businesses to have reliable security systems in place.

If you don’t have someone in-house to monitor cyber-security threats, and you don’t have an outside partner to help you, your eCommerce website data, including you and your customer’s personal identifying information and credit card credentials, are at risk.

It’s not a maybe or a possibility — without proactive measures against security threats, your eCommerce data is in danger.

In fact, in 2021 alone, Juniper Research group found that eCommerce fraud rates increased by 18%. Our eCommerce fraud protection partner, Signifyd, discovered similar findings and it looks like eCommerce fraudsters and hackers aren’t going to give us a rest in 2022.

The Threat: Adobe Commerce Sites at Risk of Hacking

On Monday, Feb. 14, Adobe announced a severe security vulnerability known as CVE-2022-24086. This vulnerability allows attackers to execute malicious code on vulnerable Adobe Commerce sites, and was rated a 9.8 out of 10 on the severity scale by Adobe.

Not only that, by the time Adobe announced the problem and published patches to correct the vulnerability, some 500 hundred Adobe Commerce sites had already been attacked by hackers using the CVE-2022-24086 flaw.

Given that a majority of Classy Llama’s client sites are hosted on the Adobe Commerce platform, we knew immediately that we had to act.

The Response: Classy Llama’s Client Teams in Action

As soon as Classy Llama’s internal teams were aware of this threat, they snapped into action. Step one was to get everyone together and explain the problem while simultaneously creating a deployment plan to patch the vulnerability.

There was only one issue: Classy Llama’s pledge to our clients is to always communicate when we’re deploying work on client sites and getting the sign-off before actually making changes to their code. That way, clients can prepare for any possible outages or slowed response times on their site or, at the very least, they can be fully aware of what’s going on with their website maintenance.

Unfortunately, as the Security Services Team, the Account Executives and Project Managers, and the Systems Engineering Team discovered early Monday morning, this security threat was catastrophic. If a bad actor exploited this flaw against any of our clients before we got the go-ahead to patch the problem, their entire company and client base could be compromised.

As always, our dedication to serving our clients the absolute best way we can won out. It may have been slightly outside our normal policy, but together, the Classy Llama Team decided they couldn’t wait; our clients needed protection now.

The team started implementing the security patch for CVE-2022-24086 on the morning of Feb. 14, 2022 and had finished patching every single client in less than 24 hours. Because client notices were being sent simultaneously to the patch deployment, many of our clients were fortunate enough to hear about the security threat only after their eCommerce site was no longer at risk.

The Result: Safe clients. Happy Llamas. 

By the next day, not one Classy Llama Adobe Commerce site was still vulnerable to CVE-2022-24086, thanks to the quick decision-making and execution tactics of our internal teams.

“Everything was handled great. I received alerts from a number of sources but Classy Llama was the first and had the patch installed right away,” Brian Larson, Vice President and CFO of R&R Products, Inc., said.

Our clients at Weekends Only were especially impressed and grateful about Classy Llama’s response to this threat:

“I can imagine that a vulnerability of that scale and urgency would be a difficult thing to manage across all of your clients, but you guys did a great job responding quickly with solid communication and execution. Before working with CL, it was pretty much on us to keep our eyes/ears open for vulnerabilities like this, and that usually meant we would find out about it several days late after stumbling across an article about it online. It sure is great to know you have our back when something like this happens. You guys were all over it and I can’t tell you how much I appreciate that.” Scott Antrobus, Product Manager of Digital Enterprises at Weekends Only, said.

Of course, as usual in our world, the unpredictable is the only thing you can count on …

Security Threat 2: The Sequel to CVE-24086

Just as the dust cleared from the CVE-2022-24086 announcement, Adobe dropped another bomb, announcing a new threat known as CVE-2022-24087 on Thursday, Feb. 17th.

The silver lining of the Feb. 14th CVE-2022-24086 threat is that Classy Llama already had a proactive game plan for patching flaws just like this new issue.

As soon as the Classy Llama team became aware of the second threat, they sprang into action.

While this threat and its patch followed a slightly more complex process to deploy, our internal teams followed the same protocol: round up the troops, get everyone in alignment on the plan, and then execute. Due to Classy Llama’s pre-planning and quick action, this secondary threat was neutralized for all our clients by the end of the next day.

“You handled things exactly as I would have hoped. In both cases, our internal security teams were already aware and asking about the risks, but you weren’t far behind with your initial communication. The process you used … led to patching the next day.” Jim Twieg, Vice President of Technology for Suttle-Straus, said.


Here’s the thing: Classy Llama’s dedication to our clients’ security will always be unwavering, and our goal is to work tirelessly to address any and all security threats as quickly as possible.

When a severe security threat such as CVE-2022-24086 is announced, Classy Llama’s teams are now more primed than ever to spring into action to protect clients. The quick response time and execution tactics we can implement managed to prevent any major damage from being done to any of our client sites. Thanks to our proactive approach to security threats, our clients can rest assured that their eCommerce site is safe with us and when clients are happy, Llamas are happy!

If you’d like help with eCommerce security concerns, Classy Llama has a specialized Managed Service for cyber security, designed to create a strategic relationship between you and our expert teams so we can protect your site like we did for our clients in the face of CVE-2022-24086. Partner with Classy Llama and rest assured that someone always has your back when it comes to site security.

Contact us here to get started on a security discovery asap.