Cybersecurity & Privacy

PolyShell Flaw Enables Unauthenticated RCE on Magento Stores

alex2404
By
alex2404
Byalex2404
Follow:
Disclosure: This website may contain affiliate links, which means I may earn a commission if you click on the link and make a purchase. I only recommend products or services that I personally use and believe will add value to my readers. Your support is appreciated!

Unauthenticated remote code execution vulnerabilities in e-commerce platforms carry outsized risk because they require no credentials, no social engineering, and no insider access — only a reachable endpoint.

Contents

A newly disclosed flaw called PolyShell meets that description exactly. According to the report, the vulnerability affects all stable version 2 installations of both Magento Open Source and Adobe Commerce, enabling unauthenticated code execution and account takeover. Sansec, the eCommerce security firm that disclosed the issue, states that “the exploit method is circulating already” and expects automated attacks to begin shortly, even though no active exploitation has been confirmed in the wild.

The flaw originates in how Magento‘s REST API handles file uploads tied to cart item custom options. When a product option carries the type “file,” the platform processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename, then writes that file to pub/media/custom_options/quote/ on the server. The name PolyShell reflects the technique at its core: a polyglot file constructed to behave simultaneously as an image and a script. Depending on how the web server is configured, an attacker can leverage this to achieve remote code execution or, where direct execution is blocked, account takeover through stored cross-site scripting. Sansec says its analysis of known Magento and Adobe Commerce stores found that many expose files in that upload directory.

Adobe has released a fix, but only within the second alpha release for version 2.4.9 — a pre-production build that store operators cannot deploy in live environments.

That gap leaves the entire production install base without an official patch. Adobe does offer a sample web server configuration that the report says “would largely limit the fallout,” but Sansec notes that most stores rely on configurations set by their hosting providers rather than a custom-hardened setup, making that mitigation unreliable in practice for a large portion of affected merchants.

Until a production-ready patch is available, Sansec recommends that administrators take three immediate steps:

More Read

CanisterWorm Hits 47 npm Packages in Trivy Supply Chain Attack
Perseus Android Malware Monitors Notes Apps for Financial Data
Oracle Emergency Patch Fixes Critical RCE Flaw CVE-2026-21992
INTERPOL Seizes 45,000 Malicious IPs in Global Cybercrime Sweep
FBI Warns Russian Hackers Hijacking Signal and WhatsApp Accounts
  • Restrict access to the pub/media/custom_options/ directory
  • Verify that nginx or Apache rules actively prevent access to that path
  • Scan stores for uploaded shells, backdoors, or other malware

Patch Timeline Unclear

No confirmed timeline exists for when Adobe will deliver a fix to stable production versions. The combination of a circulating exploit method, a broad install base, and a patch confined to an alpha release makes the interim window materially risky for any merchant running a default or hosting-provider-managed configuration.

Photo by Tima Miroshnichenko on Pexels

This article is a curated summary based on third-party sources. Source: Read the original article

TAGGED:
Share This Article
Previous Article Acropolis Marble Fragment Found in Lord Elgin’s Shipwreck
Next Article Brazil Shelves Crypto Tax Consultation Until After 2026 Election
Archives