Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Home/CyberSecurity News/Critical Adobe Commerce (Magento) Bug Lets Attackers Execute Remote Code
CyberSecurity News

Critical Adobe Commerce (Magento) Bug Lets Attackers Execute Remote Code

Key Takeaways A critical “PolyShell” vulnerability in Adobe Commerce (Magento) allows unauthenticated remote code execution. Attackers are actively exploiting this flaw through mass...

Marcus Rodriguez
Marcus Rodriguez
March 25, 2026 3 Min Read
48 0

Key Takeaways

  • A critical “PolyShell” vulnerability in Adobe Commerce (Magento) allows unauthenticated remote code execution.
  • Attackers are actively exploiting this flaw through mass automated attacks, leading to full system compromise.
  • The vulnerability stems from insufficient validation and file type restrictions in the Magento REST API’s file upload mechanism.
  • All versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2 are affected, with no official production patch currently available.
  • Immediate mitigation steps include deploying WAFs, restricting server access to specific directories, and scanning for webshells.

A severe unrestricted file upload vulnerability, dubbed “PolyShell,” is currently being actively exploited, posing a critical threat to Magento and Adobe Commerce online stores. This flaw enables attackers to execute arbitrary code remotely, leading to complete account takeover.

Table Of Content

  • Key Takeaways
  • The PolyShell Vulnerability Explained
  • Affected Versions and Mitigation Strategies
  • What You Should Do

Discovered by the Sansec Forensics Team, the vulnerability allows unauthenticated threat actors to bypass security measures and gain full control over affected e-commerce platforms. Since mid-March 2026, malicious actors have launched widespread automated attacks against vulnerable systems, capitalizing on the absence of an official production patch.

The PolyShell Vulnerability Explained

The PolyShell exploit specifically targets the Magento REST API, leveraging anonymous guest cart routes to circumvent authentication requirements. When a product option is configured to accept file uploads, Magento processes base64-encoded file data and writes it directly to the server’s pub/media/custom_options/quote/ directory.

The core of the vulnerability lies in the system’s failure to implement three crucial security checks:

  • Lack of Option ID Validation: The submitted option ID is not verified against the product’s actual available options.
  • Absence of Option Type Gating: The file upload logic is triggered irrespective of whether the product genuinely includes a file-type option.
  • Insufficient File Extension Restriction: The system fails to block executable extensions like .php and .phar, relying instead on easily bypassed image header validation.

Sansec reported observing automated mass scanning for this vulnerability commencing on March 19, 2026. Over 50 distinct IP addresses were identified targeting approximately 23% of protected stores.

Attackers are deploying sophisticated polyglot files—files that appear to be legitimate GIF or PNG images but secretly contain executable PHP code. These malicious payloads primarily fall into two categories:

  • A cookie-authenticated webshell, typically named index.php, bypass.php, or c.php, which verifies access via an MD5 hash in a cookie named ‘d’.
  • A password-protected RCE shell, often dropped as rce.php or mikhail.html, that uses double-MD5 hash verification to execute system commands directly.

To evade detection by basic security scanners, threat actors have occasionally employed Unicode obfuscation in these malicious filenames.

Affected Versions and Mitigation Strategies

The vulnerable code has been present in Magento since its initial release of version 2. While Adobe addressed the issue in the pre-release 2.4.9-alpha3 branch as part of APSB25-94, current production environments remain highly exposed. The severity of the flaw is contingent on the specific software version and server configuration.

All versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2 are susceptible to the unrestricted file upload vulnerability. Additionally, stored cross-site scripting (XSS) affects all versions prior to 2.3.5 and environments with custom server configurations. Remote Code Execution risks are particularly pronounced for default Nginx configurations (e.g., versions 2.0.0 through 2.2.x) and Apache servers that lack specific PHP restrictions.

What You Should Do

The Sansec Forensics Team strongly advises administrators to implement immediate defensive measures until an official production patch becomes available. Defenders should:

  • Deploy a Web Application Firewall (WAF): Utilize a WAF to actively block exploitation attempts in real-time.
  • Restrict Web Server Access: Immediately restrict web server access to the pub/media/custom_options/ directory. For Nginx, this requires a location block with a deny all directive that is not overridden by PHP regex matches. Apache servers necessitate strict .htaccess rules.
  • Scan for Webshells: Proactively scan your environments for hidden webshells to detect any existing compromises.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Russian Initial Access Broker Sentenced for Aiding Ransomware Attacks on US Firms

Next Post

Critical F5 NGINX Vulnerability Lets Attackers Execute Code via MP4 Files

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us