Magento’s PolyShell Peril: E-Stores Exposed to Stealth Code Attacks

It’s the nightmare scenario every online merchant dreads: a flaw lurking in the digital foundations, waiting for cybercriminals to strike. This week, the e-commerce world was rocked by the revelation of “PolyShell,” a critical vulnerability in Magento and Adobe Commerce platforms that leaves countless stores wide open to attack.

Fast Facts

• PolyShell enables unauthenticated remote code execution (RCE) on Magento and Adobe Commerce stores.
• The flaw affects all stable Magento Open Source and Adobe Commerce version 2 installations.
• Adobe’s official fix is only available in an alpha release, not for production sites.
• Exploit methods are already circulating, with mass attacks expected soon.
• Security experts urge immediate action to restrict access and scan for malware.

Behind the PolyShell Threat

Discovered by security firm Sansec, the PolyShell vulnerability exploits how Magento’s REST API handles product options that allow file uploads. When a customer adds a product to their cart with a file-type custom option, Magento processes the file’s data - encoded in base64 - and stores it on the server. This mechanism, meant for innocuous uploads like images, can be twisted by attackers to upload malicious files.

Here’s where things get dangerous: PolyShell uses a “polyglot” file, crafted to masquerade as both a harmless image and a malicious script. Depending on a store’s web server configuration, this file can enable hackers to execute remote code or hijack customer accounts using stored cross-site scripting (XSS) attacks. In essence, an attacker doesn’t even need to log in to take over the store or plant backdoors for future exploitation.

Sansec’s investigation revealed that many Magento stores publicly expose the upload directory, amplifying the risk. While Adobe has rushed out a fix, it’s buried in a second alpha release of version 2.4.9 - far from the production-ready patch most merchants need. Until then, e-commerce operators are urged to restrict access to the vulnerable directory, double-check their web server rules, and scan for any sign of uploaded malware.

With exploit techniques already circulating in the cybercrime underground, time is of the essence. The threat of automated, mass attacks looms large, targeting the backbone of countless online businesses.

What’s Next?

The PolyShell saga highlights the precarious balance between convenience and security in modern e-commerce. As store owners await a comprehensive fix from Adobe, the onus is on administrators to act swiftly, patching defenses and rooting out hidden threats. In the high-stakes world of online retail, vigilance isn’t just best practice - it’s survival.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• REST API: A REST API is a set of rules that lets different software systems communicate over the internet, acting like a translator between websites and apps.
• Polyglot File: A polyglot file is valid in multiple formats, letting attackers hide malware in files that look harmless, bypassing security checks.
• Cross: Cross-Site Scripting (XSS) is a cyberattack where hackers inject malicious code into websites to steal user data or hijack sessions.
• Alpha Release: An alpha release is an early, unstable software version used for internal testing to find bugs and vulnerabilities before public release.