A popular version of the open source Magento ecommerce platform is vulnerable Vulnerability-related.DiscoverVulnerability to a zero-day remote code execution vulnerability , putting as many as 200,000 online retailers at risk . The warning comes from security firm DefenseCode , which found Vulnerability-related.DiscoverVulnerability and originally reported Vulnerability-related.DiscoverVulnerability the vulnerability to Magento in November . “ During the security audit of Magento Community Edition , a high risk vulnerability was discovered Vulnerability-related.DiscoverVulnerability that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information , ” DefenseCode wrote in a technical description of its discovery ( PDF ) posted Wednesday . According Bosko Stankovic , information security engineer at DefenseCode , despite repeated efforts to notify Vulnerability-related.DiscoverVulnerability Magento , which began in November 2016 , the vulnerability remains unpatched Vulnerability-related.PatchVulnerability despite four version updates since the disclosure Vulnerability-related.DiscoverVulnerability . DefenseCode did not examine Magento Enterprise , the commercial version of the platform , but warns both share the same underlying vulnerable code . “ We ’ re unsure if this vulnerability is actively being exploited Vulnerability-related.DiscoverVulnerability in the wild , but since the vulnerability has been unpatched Vulnerability-related.PatchVulnerability for so long it provides a window of opportunity for potential hackers , ” Stankovic said . Magento confirmed the existence Vulnerability-related.DiscoverVulnerability of the flaw in a brief statement to Threatpost and said it was investigating . “ We have been actively investigating Vulnerability-related.DiscoverVulnerability the root cause of the reported issue and are not aware of any attacks in the wild . We will be addressing Vulnerability-related.PatchVulnerability the issue in our next patch release and continue to consistently work to improve our assurance processes , ” Magento said in a statement . Yesterday , Threatpost reported Vulnerability-related.DiscoverVulnerability a story about a remote code execution vulnerability with Magento 2 Enterprise and Community software . Magento is committed to delivering superior security to clients and has been actively investigating Vulnerability-related.DiscoverVulnerability the root cause of the reported issue . We are not aware of any attacks in the wild . Admin access is required to execute the exploit , so as always , we encourage you to follow best practices to keep your Admin secure . In addition , this vulnerability will be addressed Vulnerability-related.PatchVulnerability in our next release Vulnerability-related.PatchVulnerability targeted for early May . Until then , we recommend enforcing the use of “ Add Secret Key to URLs ” to mitigate potential attacks .