Magento says compromised sites haven’t patched older vulnerabilities
Magento said Tuesday there does not appear to be a new vulnerability in its e-commerce platform that is causing some websites to become infected with the Neutrino exploit kit.
Some of the affected websites appear to not have patched a code execution vulnerability nicknamed the Shoplift Bug Patch, Magento’s security team wrote in a blog post. A patch was released in February.
Other Magento-powered sites have not applied other patches, making them vulnerable.
The latest attack against Magento was highlighted by Malwarebytes and Sucuri, two security companies, who noticed attacks on the client and server sides.