A critical security vulnerability, dubbed PolyShell, has been identified in Magento’s REST API, potentially allowing unauthenticated attackers to upload arbitrary executables, leading to remote code execution (RCE) and account takeovers. This flaw affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2.
Understanding the PolyShell Vulnerability
The PolyShell vulnerability arises from Magento’s REST API accepting file uploads as part of custom options for cart items. Specifically, when a product option is set to the ‘file’ type, Magento processes an embedded `file_info` object containing base64-encoded file data, a MIME type, and a filename. This file is then written to the server’s `pub/media/custom_options/quote/` directory.
Depending on the web server’s configuration, this flaw can be exploited in two primary ways:
1. Remote Code Execution (RCE): Attackers can upload malicious PHP files disguised as images or other benign file types. If the server is configured to execute PHP files within the upload directory, this can lead to arbitrary code execution, granting attackers full control over the server.
2. Account Takeover via Stored Cross-Site Scripting (XSS): Even if the server doesn’t execute PHP files from the upload directory, attackers can upload files containing malicious scripts. When these files are accessed or rendered by users or administrators, the scripts can execute, potentially leading to session hijacking or other malicious activities.
Mitigation Strategies
To protect against potential exploitation of the PolyShell vulnerability, Magento store administrators are advised to implement the following measures:
– Restrict Access to the Upload Directory: Ensure that the `pub/media/custom_options/` directory is not publicly accessible. This can be achieved by configuring web server rules to deny access to this directory.
– Verify Web Server Configuration: Review and adjust nginx or Apache configurations to prevent execution of files within the upload directory. This includes setting appropriate permissions and disabling the execution of scripts in these directories.
– Implement a Web Application Firewall (WAF): Deploy a WAF to monitor and filter malicious requests, including unauthorized file uploads. A WAF can provide an additional layer of security by detecting and blocking exploit attempts.
– Regular Security Scans: Conduct routine scans of your Magento store to detect and remove web shells, backdoors, and other malware. This proactive approach can help identify and mitigate threats before they cause significant damage.
Adobe’s Response and Patch Availability
Adobe has addressed the PolyShell vulnerability in the 2.4.9 pre-release branch as part of security bulletin APSB25-94. However, current production versions do not have an isolated patch for this issue. Therefore, it’s crucial for administrators to apply the recommended mitigation strategies to secure their Magento installations.
Broader Implications and Recent Attacks
The discovery of the PolyShell vulnerability coincides with reports from Netcraft about an ongoing campaign targeting thousands of Magento e-commerce sites. Since February 27, 2026, attackers have been compromising and defacing numerous Magento sites across various sectors and geographies. The attackers have deployed defacement text files across approximately 15,000 hostnames spanning 7,500 domains, including infrastructure associated with prominent global brands, e-commerce platforms, and government services.
While it’s not yet clear if these attacks are directly exploiting the PolyShell vulnerability, the timing underscores the importance of promptly addressing security flaws in Magento installations.
Historical Context: Magento’s Security Challenges
Magento has faced several critical vulnerabilities in the past, highlighting the platform’s ongoing security challenges:
– CVE-2025-54236 (SessionReaper): In September 2025, Adobe warned of a critical security flaw in its Commerce and Magento Open Source platforms that could allow attackers to take control of customer accounts. The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carried a CVSS score of 9.1 and was described as an improper input validation flaw. Adobe released a hotfix and deployed web application firewall (WAF) rules to protect environments against exploitation attempts targeting merchants using Adobe Commerce on Cloud infrastructure. ([thehackernews.com](https://thehackernews.com/2025/09/adobe-commerce-flaw-cve-2025-54236-lets.html?utm_source=openai))
– CVE-2022-24086: In February 2022, Adobe rolled out patches to contain a critical security vulnerability impacting its Commerce and Magento Open Source products. The flaw, tracked as CVE-2022-24086, had a CVSS score of 9.8 and was characterized as an improper input validation issue that could be weaponized to achieve arbitrary code execution. Adobe noted that the vulnerability had been exploited in the wild in very limited attacks targeting Adobe Commerce merchants. ([thehackernews.com](https://thehackernews.com/2022/02/critical-magento-0-day-vulnerability.html?utm_source=openai))
– Xurum Attacks: In August 2023, e-commerce sites using Adobe’s Magento 2 software were targeted in an ongoing campaign dubbed Xurum. The attacks leveraged the critical security flaw CVE-2022-24086 in Adobe Commerce and Magento Open Source, leading to arbitrary code execution. The attackers demonstrated a high level of expertise in Magento, investing considerable time in understanding its internals, setting up attack infrastructure, and testing their exploits on real targets. ([thehackernews.com](https://thehackernews.com/2023/08/ongoing-xurum-attacks-on-e-commerce.html?utm_source=openai))
Conclusion
The PolyShell vulnerability serves as a stark reminder of the critical importance of maintaining robust security practices for Magento e-commerce platforms. Administrators must remain vigilant, promptly apply patches, and implement comprehensive security measures to protect their sites and customer data from potential exploitation.
