Full Report
Attacks leveraging the 'PolyShell' vulnerability in version 2 of Magento Open Source and Adobe Commerce installations are underway, targeting more than half of all vulnerable stores. [...]
Analysis Summary
# Vulnerability: PolyShell (Magento/Adobe Commerce RCE & XSS)
## CVE Details
- **CVE ID:** Not explicitly listed in the article (Commonly referred to as "PolyShell").
- **CVSS Score:** Critical (~9.8 based on description)
- **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-79 (Cross-site Scripting)
## Affected Systems
- **Products:** Magento Open Source, Adobe Commerce.
- **Versions:** All versions prior to 2.4.9-beta1.
- **Configurations:** Web server configurations that allow the execution of polyglot files; installations utilizing the REST API for custom cart item options.
## Vulnerability Description
PolyShell is a vulnerability residing in the Magento REST API. The flaw stems from the API's acceptance of file uploads intended for "custom options" of cart items. Attackers can upload "polyglot" files—files that are valid in multiple formats (e.g., an image file that also contains valid PHP code). Depending on the web server's handling of these files, an attacker can achieve Remote Code Execution (RCE) or a persistent account takeover via Stored Cross-Site Scripting (XSS).
## Exploitation
- **Status:** Exploited in the wild. Mass exploitation began on March 19, 2026, targeting over 56% of known vulnerable stores.
- **Complexity:** Low (Automated mass scanning and exploitation).
- **Attack Vector:** Network (Unauthenticated via REST API).
## Impact
- **Confidentiality:** High (Full data exfiltration, including payment card data via WebRTC skimmers).
- **Integrity:** High (Ability to inject malicious scripts and modify store data).
- **Availability:** High (Potential for full server takeover/RCE).
## Remediation
### Patches
- **Adobe Commerce / Magento Open Source 2.4.9-beta1:** This version contains the fix.
- **Note:** As of the report date, a patch for the stable/production branch has not yet been released.
### Workarounds
- Monitor and restrict file upload types via the REST API.
- Harden web server configurations to prevent the execution of scripts in upload directories (e.g., disabling PHP execution in `pub/media`).
- Implement strict Content Security Policies (CSP), though note that current attacks are using WebRTC to bypass `connect-src` restrictions.
## Detection
- **Indicators of Compromise (IoCs):**
- High-volume scanning from specific IP addresses (Refer to Sansec for live list).
- Presence of lightweight JS loaders that initiate WebRTC connections (DTLS-encrypted UDP).
- Use of `requestIdleCallback` in suspicious scripts to delay execution.
- Forged Session Description Protocol (SDP) exchanges in network logs.
- **Detection methods and tools:**
- Monitor for unexpected UDP traffic from the browser/frontend.
- Audit `pub/media` for polyglot files or scripts masquerading as images.
- Sansec e-commerce malware scanner.
## References
- **Sansec Research:** hxxps[://]sansec[.]io/research/magento-polyshell
- **Sansec WebRTC Skimmer Report:** hxxps[://]sansec[.]io/research/webrtc-skimmer
- **Adobe Release Notes (Beta):** hxxps[://]experienceleague[.]adobe[.]com/en/docs/commerce-operations/release/notes/adobe-commerce/2-4-9?lang=en#highlights-in-v249-beta1