Magento has released an advisory of a potential remote code execution vulnerability in Zend Framework which is bundled as part of the Magento application. This vulnerability is only exploitable if the following option is turned on and Magento has advised disabling this option until an official patch is released.
We have scanned for affected customers and notified them by email. We will automatically disable this tonight, for affected and notified customers, starting at 9 PM EST to protect Magento from this critical bug and further advise when an official patch is available. If this is something required to be enabled, you can also set this option to "Specified" and enter a static return path.
Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
Official Magento Security Notification:
Jan 16, 14:15 EST