Security experts have identified a significant threat targeting Magento and Adobe Commerce stores, known as the ‘PolyShell’ vulnerability. This critical issue allows cybercriminals to execute remote code and gain full access to user accounts, posing severe risks to online retailers.
Details of the PolyShell Vulnerability
Detected by the Sansec Forensics Team, the PolyShell flaw exploits the Magento REST API, particularly the anonymous guest cart routes. This vulnerability enables attackers to bypass authentication and execute malicious actions.
The root of the problem lies in the system’s inability to perform essential security checks. Specifically, it fails to validate option IDs, enforce file-type restrictions, and block executable file extensions, which hackers exploit by uploading files with dangerous extensions like .php and .phar.
Impact and Exploitation Patterns
Since mid-March 2026, cybercriminals have been launching automated attacks against susceptible e-commerce platforms. Sansec reported mass scanning activities starting on March 19, with numerous IP addresses targeting a significant portion of protected stores.
Attackers use polyglot files, which appear as legitimate images but contain hidden executable PHP code. Two main types of malicious payloads are employed: cookie-authenticated webshells and password-protected remote code execution (RCE) shells, often concealed with Unicode obfuscation.
Mitigation Measures and Recommendations
Despite Adobe’s efforts to address the issue in a pre-release version, many production environments remain vulnerable. The flaw affects Magento versions up to 2.4.9-alpha2, with variations in risk depending on server configurations and software versions.
Experts suggest immediate actions to safeguard systems, such as deploying a Web Application Firewall (WAF) and restricting access to critical directories. Nginx servers should implement location blocks to deny unauthorized access, while Apache servers require stringent .htaccess rules.
Organizations are urged to regularly scan their environments for hidden webshells and stay informed through reliable cybersecurity news sources. Immediate defensive strategies are essential to mitigate potential damage until an official patch is released.
Stay updated with the latest developments in cybersecurity by following us on Google News, LinkedIn, and X. Reach out to share your security stories and insights.
