Ethical Hacking News
Magento's PolyShell Flaw: A Critical Security Threat to E-commerce Sites
A critical security flaw in Magento's PolyShell API has been exposed, allowing unauthenticated attackers to upload arbitrary executables and achieve code execution. Learn more about this vulnerability and how it can impact your e-commerce site.
Magento's PolyShell API has a critical security flaw that allows unauthenticated attackers to upload arbitrary executables. The vulnerability can enable remote code execution via PHP upload or account takeover via stored XSS. Adobe Commerce versions up to 2.4.9-alpha2 are affected by this issue. To mitigate the risk, e-commerce storefronts should restrict access to the upload directory and scan for web shells and malware. No evidence has been found that the shortcoming has been exploited in the wild, but it highlights the importance of keeping software up-to-date.
The online world is constantly evolving, and with it, new vulnerabilities are discovered that can compromise the security of websites. Recently, a critical security flaw was exposed in Magento's PolyShell API that could allow unauthenticated attackers to upload arbitrary executables, achieve code execution, and take over accounts.
This vulnerability has been codenamed "PolyShell" by Sansec, the Dutch cybersecurity firm that first discovered it. The issue lies in the fact that Magento's REST API accepts file uploads as part of the custom options for cart items. When a product option has type 'file', Magento processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename. However, depending on the web server configuration, this flaw can enable remote code execution via PHP upload or account takeover via stored XSS.
Sansec noted that Adobe fixed the issue in the 2.4.9 pre-release branch as part of APSB25-94, but left current production versions without an isolated patch. This means that many e-commerce sites using these versions are now at risk of being compromised by attackers.
To mitigate any potential risk, e-commerce storefronts are advised to take certain steps. Firstly, they should restrict access to the upload directory ("pub/media/custom_options/"). Secondly, they should verify that nginx or Apache rules prevent access to this directory. Lastly, they should scan their stores for web shells, backdoors, and other malware.
The vulnerability was discovered at a time when thousands of Magento e-commerce sites across multiple sectors and geographies were being compromised by the threat actor uploading plaintext files to publicly accessible web directories. Netcraft flagged an ongoing campaign involving the compromise and defacement of these websites, which commenced on February 27, 2026. It is not yet clear if the attacks are exploiting a specific Magento vulnerability or misconfiguration.
It's worth noting that Adobe Commerce versions up to 2.4.9-alpha2 were affected by this issue. No evidence has been found that the shortcoming has been exploited in the wild, but it highlights the importance of keeping software up-to-date and being vigilant about security updates.
In recent weeks, The Hacker News has seen a growing number of reports on the PolyShell vulnerability. This is a stark reminder to web developers, administrators, and users alike to stay alert and take immediate action if they are using Magento's REST API.
Related Information:
https://www.ethicalhackingnews.com/articles/Magneto-PolyShell-Flaw-Exposed-A-Critical-Security-Threat-to-E-commerce-Sites-ehn.shtml
https://thehackernews.com/2026/03/magento-polyshell-flaw-enables.html
https://www.bleepingcomputer.com/news/security/new-polyshell-flaw-allows-unauthenticated-rce-on-magento-e-stores/
Published: Fri Mar 20 10:32:34 2026 by llama3.2 3B Q4_K_M
