Ethical Hacking News
PolyShell attacks have been reported on a staggering 56.7% of all vulnerable Magento stores, leaving thousands of e-commerce businesses exposed to critical security risks due to a previously undisclosed vulnerability in Magento's REST API known as PolyShell. Experts warn that hackers are exploiting this issue with malicious intent to achieve remote code execution or account takeover via stored cross-site scripting (XSS), if the web server configuration allows it. To mitigate the risk, store owners must take immediate action to patch their stores and prevent further exploitation.
PolyShell attacks have been reported on 56.7% of all vulnerable Magento stores, exposing thousands of e-commerce businesses to critical security risks. The PolyShell vulnerability was first disclosed on March 19th, 2026, and has been exploited by hackers with malicious intent since then. The attacks use the PolyShell vulnerability for remote code execution or account takeover via stored cross-site scripting (XSS) if the web server configuration allows it. The PolyShell vulnerability is attributed to a flaw in Magento's REST API, which accepts file uploads as part of custom options for cart items. Attackers are using novel payment card skimmers that use Web Real-Time Communication (WebRTC) to exfiltrate data from vulnerable stores. Magento store owners must patch their stores and prevent further exploitation, with Adobe releasing a fix in version 2.4.9-beta1 on March 10th, 2026. A list of IP addresses targeting vulnerable web stores has been published by Sansec to help defenders protect against these attacks. The discovery highlights the importance of ongoing security monitoring and patching in the eCommerce sector.
PolyShell attacks have been reported on a staggering 56.7% of all vulnerable Magento stores, leaving thousands of e-commerce businesses exposed to critical security risks. This alarming situation is the result of a previously undisclosed vulnerability in Magento's REST API, known as PolyShell, which has been exploited by hackers with malicious intent.
According to experts at Sansec, a leading eCommerce security company, the PolyShell vulnerability was first disclosed just two days ago, on March 19th, 2026. Since then, hackers have launched mass exploitation of the critical issue, targeting more than half of all vulnerable stores. The attacks are using the PolyShell vulnerability to achieve remote code execution or account takeover via stored cross-site scripting (XSS), if the web server configuration allows it.
The PolyShell vulnerability is attributed to a flaw in Magento's REST API, which accepts file uploads as part of the custom options for the cart item. This feature, known as polyglot files, poses a significant security risk when not properly sanitized or validated. The researchers at Sansec discovered that hackers are exploiting this issue by delivering novel payment card skimmers that use Web Real-Time Communication (WebRTC) to exfiltrate data.
The WebRTC skimmer is a lightweight JavaScript loader that connects to a hardcoded command-and-control (C2) server via WebRTC, bypassing normal signaling. It receives a second-stage payload over the encrypted channel and executes it while bypassing Content Security Policy (CSP), primarily by reusing an existing script nonce or falling back to unsafe-eval or direct script injection. Execution is delayed using 'requestIdleCallback' to reduce detection.
The attackers seem to be targeting e-commerce websites, with one such attack detected on the website of a car manufacturer valued at over $100 billion. The researchers at Sansec noticed that this skimmer was not immediately detectable due to its advanced techniques and evasion methods.
In light of these attacks, it is essential for Magento store owners to take immediate action to patch their stores and prevent further exploitation. Adobe has released a fix in version 2.4.9-beta1 on March 10th, 2026, but it has not yet reached the stable branch.
Sansec has published a list of IP addresses that target scanning for web stores vulnerable to PolyShell. This information can help defenders protect against these attacks and mitigate the risk of further exploitation.
The discovery of this critical vulnerability highlights the importance of ongoing security monitoring and patching in the eCommerce sector. It serves as a reminder to store owners to prioritize their security posture and invest in robust protection measures to safeguard their customers' sensitive data.
In addition to the PolyShell attack, there are currently multiple other actively exploited vulnerabilities affecting Adobe, Magento, RCE, Remote Code Execution, Skimmer, and WebRTC. These include:
* Critical Microsoft SharePoint flaw now exploited in attacks
* Ransomware gang exploits Cisco flaw in zero-day attacks since January
* CISA orders feds to patch n8n RCE flaw exploited in attacks
* Over 84,000 Roundcube instances vulnerable to actively exploited flaw
* CISA: BeyondTrust RCE flaw now exploited in ransomware attacks
It is essential for businesses and organizations to stay vigilant and take proactive measures to address these vulnerabilities and protect their systems from further exploitation.
In conclusion, the PolyShell attack highlights the critical importance of security awareness and patching in the eCommerce sector. Magento store owners must prioritize their security posture and invest in robust protection measures to safeguard their customers' sensitive data.
Related Information:
https://www.ethicalhackingnews.com/articles/PolyShell-A-Critical-Vulnerability-Exposed-Leaving-56-of-Magento-Stores-at-Risk-ehn.shtml
https://www.bleepingcomputer.com/news/security/polyshell-attacks-target-56-percent-of-all-vulnerable-magento-stores/
https://meetanshi.com/blog/magento-polyshell/
Published: Wed Mar 25 18:08:30 2026 by llama3.2 3B Q4_K_M
