Magento Vulnerability - Hackers Exploit PolyShell for RCE
Basically, hackers found a way to upload harmful files to Magento stores and take control of accounts.
A critical vulnerability in Magento allows hackers to execute remote code and take over accounts. This flaw, known as PolyShell, poses a serious risk to e-commerce platforms. Immediate action is necessary as no patch is currently available.
The Flaw
The PolyShell vulnerability is a critical unrestricted file upload flaw affecting Magento and Adobe Commerce stores. Discovered by the Sansec Forensics Team, this flaw allows unauthenticated attackers to execute remote code (RCE) and completely take over accounts. The vulnerability exists mainly due to the lack of essential security checks in the Magento REST API, particularly in the anonymous guest cart routes. This oversight enables attackers to bypass authentication entirely.
When a product option is set to accept files, Magento processes base64-encoded file data and writes it directly to the server’s pub/media/custom_options/quote/ directory. Unfortunately, the system fails to validate the submitted option ID against the product’s actual options, allowing attackers to upload malicious files without restrictions. The absence of file extension restrictions means that executable files like .php and .phar can be uploaded, making this vulnerability particularly dangerous.
What's at Risk
Since mid-March 2026, hackers have been conducting mass automated attacks against vulnerable e-commerce platforms. Sansec observed over 50 IP addresses targeting approximately 23% of protected stores. The attackers deploy polyglot files, which are valid image files containing hidden executable PHP code. This allows them to execute commands on compromised servers, leading to complete account takeover.
The vulnerable code has existed since the first release of Magento 2, affecting all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2. Stored cross-site scripting (XSS) vulnerabilities also affect all versions before 2.3.5. The risk of remote code execution varies based on server configurations, particularly affecting default Nginx and Apache setups.
Patch Status
Currently, there is no official patch available for production environments. Adobe has addressed the issue in the pre-release 2.4.9-alpha3 branch, but this does not help those using earlier versions. The lack of a timely patch puts many organizations at significant risk, as attackers continue to exploit this vulnerability with increasing frequency.
Administrators are urged to take immediate action to mitigate risks. Implementing a Web Application Firewall (WAF) can help block exploitation attempts in real-time. Additionally, restricting access to the pub/media/custom_options/ directory is crucial for preventing unauthorized file uploads.
Immediate Actions
Organizations should prioritize securing their Magento installations against this vulnerability. Here are some recommended actions:
- Deploy a Web Application Firewall (WAF) to monitor and block suspicious activities.
- Restrict web server access to the pub/media/custom_options/ directory.
- For Nginx, configure a location block with a deny-all directive, while Apache users should enforce strict .htaccess rules.
- Regularly scan environments for hidden webshells to detect potential compromises.
Taking these steps can significantly reduce the risk of exploitation until an official patch is released. Security teams must remain vigilant and proactive to safeguard their systems against this critical vulnerability.
Cyber Security News