Critical Magento Vulnerability ‘PolyShell’ Under Active Exploitation: Immediate Action Required
A severe security flaw, termed PolyShell, has been identified in Magento and Adobe Commerce platforms, posing a significant threat to e-commerce sites worldwide. This vulnerability enables unauthenticated attackers to execute remote code, potentially leading to full account takeovers. Discovered by the Sansec Forensics Team, the flaw is currently being exploited in mass automated attacks, with no official patch available for production environments as of March 25, 2026.
Understanding the PolyShell Vulnerability
PolyShell targets the Magento REST API, specifically exploiting anonymous guest cart routes. This allows attackers to bypass authentication mechanisms entirely. The core of the vulnerability lies in the handling of base64-encoded file data, which Magento processes and writes directly to the server’s `pub/media/custom_options/quote/` directory when a product option is set to accept files.
The system’s failure to implement three critical security checks exacerbates the issue:
1. Option ID Validation: The system does not verify the submitted option ID against the product’s actual options.
2. Option Type Gating: The file upload logic is triggered regardless of whether the product has a file-type option.
3. File Extension Restriction: Executable extensions like `.php` and `.phar` are not blocked, relying solely on an easily bypassed image header validation.
These oversights allow attackers to upload malicious files, such as polyglot files that appear as valid GIF or PNG images but contain executable PHP code.
Active Exploitation and Attack Patterns
Since March 19, 2026, Sansec has observed automated mass scanning for this vulnerability, with over 50 IP addresses targeting approximately 23% of protected stores. Attackers deploy polyglot files to establish a foothold within the server environment.
Two primary types of malicious payloads have been identified:
1. Cookie-Authenticated Webshells: These rely on MD5 hash verification via a cookie named ‘d’ and often use filenames like `index.php`, `bypass.php`, and `c.php`.
2. Password-Protected RCE Shells: Utilizing double-MD5 hash verification, these shells pass commands directly to the system and are commonly dropped as files such as `rce.php` or `mikhail.html`.
In some instances, attackers employ Unicode obfuscation on these filenames to evade detection by basic security scanners.
Affected Versions and Mitigation Strategies
The vulnerable code has been present since the initial release of Magento 2. While Adobe has patched the issue in the pre-release 2.4.9-alpha3 branch as part of APSB25-94, current production stores remain highly exposed.
The severity of the vulnerability varies based on software version and server setup:
– Unrestricted File Upload Flaw: Affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2.
– Stored Cross-Site Scripting (XSS): Affects all versions before 2.3.5, as well as environments with custom server configurations.
– Remote Code Execution Risks: Particularly affect default Nginx configurations (e.g., versions 2.0.0 through 2.2.x) and Apache servers lacking specific PHP restrictions.
Immediate Defensive Actions
Given the absence of an official production patch, administrators are urged to implement the following measures:
1. Deploy a Web Application Firewall (WAF): This can block exploitation attempts in real-time.
2. Restrict Web Server Access: Limit access to the `pub/media/custom_options/` directory. For Nginx, this requires a location block with a ‘deny all’ directive that is not overridden by PHP regex matches. Apache servers should implement strict `.htaccess` rules.
3. Conduct Regular Security Scans: Actively scan environments for hidden webshells to detect potential compromises.
The Sansec Forensics Team emphasizes the urgency of these actions to mitigate the risk posed by the PolyShell vulnerability until an official production patch is released.
