Hackers Exploiting Magento RCE for Full Account Access

A critical unrestricted file upload vulnerability, identified as “PolyShell,” is under active exploitation. Attackers are leveraging this flaw to target Magento and Adobe Commerce stores.

Discovered by the Sansec Forensics Team, this flaw allows unauthenticated attackers to execute remote code (RCE) and completely take over accounts.

With no official patch available for production environments, hackers have been conducting mass automated attacks against vulnerable e-commerce platforms since mid-March 2026.

PolyShell Vulnerability Exploited

The PolyShell exploit targets the Magento REST API, specifically the anonymous guest cart routes. This allows threat actors to bypass authentication entirely.

When a product option is set to accept files, Magento processes base64-encoded file data and writes it directly to the server’s pub/media/custom_options/quote/ directory.

The vulnerability exists because the system lacks three critical security checks:​

• No option ID validation: The submitted option ID is never verified against the product’s actual options.​
• No option type gating: The file upload logic triggers regardless of whether the product actually has a file-type option.​
• No file extension restriction: Executable extensions like .php and .phar are not blocked, relying only on an easily bypassed image header validation.​

Sansec observed automated mass scanning for this vulnerability starting on March 19, 2026, with over 50 IP addresses targeting 23% of protected stores.

Attackers are deploying polyglot files, which are valid GIF or PNG images that secretly contain executable PHP code.​

The attackers primarily use two types of malicious payloads to compromise servers.

The first is a cookie-authenticated webshell that relies on MD5 hash verification via a cookie named d, often using filenames like index.php, bypass.php, and c.php.

The second variant is a password-protected RCE shell that uses double-MD5 hash verification and passes commands directly to the system, commonly dropped as files such as rce.php or mikhail.html.

Threat actors sometimes use Unicode obfuscation on these filenames to hide their tracks from basic security scanners.​

Affected Versions and Mitigation Strategies

The vulnerable code has existed since the first release of Magento 2. While Adobe patched the issue in the pre-release 2.4.9-alpha3 branch as part of APSB25-94, current production stores remain highly exposed.​

The severity of the vulnerability depends on the specific software version and server setup. The unrestricted file upload flaw affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2.

Furthermore, stored cross-site scripting (XSS) affects all versions before 2.3.5, as well as environments with custom server configurations.

Remote code execution risks vary by web server, specifically affecting default Nginx configurations (e.g., versions 2.0.0 through 2.2.x) and Apache servers lacking specific PHP restrictions.​

The Sansec Forensics Team advises administrators to take immediate defensive action until an official production patch is released.

Organizations should deploy a Web Application Firewall (WAF) to block exploitation attempts in real-time. Additionally, administrators must restrict web server access to the pub/media/custom_options/ directory.

For Nginx, this requires a location block with a deny all that is not overridden by PHP regex matches, while Apache servers require strict .htaccess rules. Security teams are recommended to actively scan their environments for hidden webshells to detect compromises.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.