Hackers are actively exploiting a critical Magento and Adobe Commerce vulnerability, dubbed “PolyShell,” to achieve remote code execution (RCE) and full account compromise across thousands of online stores.
The flaw, discovered by the Sansec Forensics Team and disclosed on March 17, 2026, affects Magento’s REST API.
It allows unauthenticated attackers to upload malicious files directly to the server, without needing valid credentials.
With no official patch available for current production versions, the risk remains high for e-commerce platforms worldwide.
How the PolyShell Flaw Works
The vulnerability exists in Magento’s anonymous guest cart functionality. When users add items to a cart, the system accepts custom file options.
These files are processed using base64-encoded data, along with a MIME type and filename.
However, the application fails to properly validate these inputs. It does not verify whether a file upload is required, ignores option ID checks, and lacks restrictions on file extensions.
As a result, attackers can upload malicious scripts disguised as harmless image files.
Threat actors are using polyglot files with malicious code hidden inside seemingly valid GIF or PNG images to bypass security filters.
A common technique involves embedding PHP code within a GIF89a header, allowing the file to execute on the server once uploaded.
The vulnerability affects multiple Magento and Adobe Commerce versions:
- Unrestricted file upload impacts all versions up to 2.4.9-alpha2
- Stored cross-site scripting (XSS) affects versions before 2.3.5
- Remote code execution depends on server configuration, particularly in Nginx and Apache environments
The issue is only patched in the unreleased 2.4.9-alpha3 branch, leaving most production systems exposed.
Sansec researchers reported mass scanning and active exploitation starting March 19, 2026, indicating that attackers quickly weaponized the flaw.
Security teams should watch for suspicious files and activity, including:
- Filenames such as index.php, json-shell.php, bypass.phtml, c.php, and rce.php
- Unicode-obfuscated filenames designed to evade detection
- Hardcoded MD5 hashes like a17028468cb2a870d460676d6d6da3ad63706778e3 and 4009d3fa8132195a2dab4dfa3affc8d2
- Malicious IP activity from sources such as 2.217.245.213 and 18.220.50.153
These web shells often allow attackers to execute arbitrary commands, upload additional malware, and maintain persistent access.
Until an official patch is released, organizations must take immediate defensive steps. Deploying a Web Application Firewall (WAF) is strongly recommended to block exploit attempts in real time.
Administrators should also restrict access to the pub/media/custom_options/ directory, where malicious files are typically stored. Nginx users must enforce strict deny rules, while Apache users should verify .htaccess protections are properly configured.
Finally, regular file system scans are critical. Even if initial execution fails, malicious uploads can remain dormant and be triggered later.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
