As Magento 1 Reaches End of Life, Attackers Are Exploiting Vulnerability in Magento Mass Importer Plugin (CVE-2017-7391)

In May 2020, ZDNet published an article detailing a privately shared FBI flash alert sent to the private sector about attacks targeting Magento, a popular e-commerce platform used by hundreds of thousands of websites.

According to the FBI, attackers have targeted CVE-2017-7391, a cross-site scripting vulnerability in the Magento Mass Importer (Magmi) plugin, which was patched three years ago. The vulnerability exists in the way requests to the plugin containing user-supplied input are handled.

Additionally, Magento 1 has reached end of life as of June 30. The final set of security updates for both the enterprise version (Magento Commerce) and community version (Magento Open Source) was released on June 22. Because Magento 1 is no longer supported, site owners are strongly encouraged to upgrade to Magento 2 or another supported e-commerce solution as soon as possible.

For more information about the Magmi plugin vulnerability, including the availability of patches, Tenable product coverage, and the availability of a Magento Unsupported Version Detection plugin, please visit our blog.