A newly disclosed security vulnerability in Magento’s REST API is raising serious concerns among e commerce operators, as it enables unauthenticated attackers to upload malicious files, execute code remotely, and potentially take over user accounts. The flaw, identified by Dutch security firm Sansec and named PolyShell, affects all Magento Open Source and Adobe Commerce versions up to 2.4.9 alpha2. The issue stems from how Magento processes file uploads tied to custom product options, where attackers can disguise malicious payloads as seemingly harmless image files.
According to Sansec, the vulnerability arises when Magento accepts file uploads through a file_info object embedded in cart item options. This object includes base64 encoded file data, along with metadata such as MIME type and filename. Once processed, the uploaded file is stored in the pub media custom_options quote directory on the server. In certain server configurations, particularly those lacking strict access controls, this mechanism can be abused to upload executable PHP files or inject malicious scripts. This creates a pathway for remote code execution or stored cross site scripting, which can ultimately lead to account takeover.
Although Adobe addressed the issue in its 2.4.9 pre release branch under security advisory APSB25-94, production versions currently do not have a standalone patch. Sansec noted that while Adobe provides recommended web server configurations to mitigate risk, many online stores rely on custom hosting setups that may not enforce these protections effectively. As a result, stores remain exposed unless proactive measures are implemented. Recommended mitigations include restricting access to the upload directory, verifying that server rules block execution within that path, and scanning systems for signs of compromise such as web shells or backdoors. The firm also emphasized that simply blocking access does not prevent uploads, highlighting the need for specialized web application firewall solutions.
The disclosure comes alongside a broader campaign reported by Netcraft, which has identified widespread compromise and defacement activity targeting Magento based sites. Beginning February 27, 2026, attackers have reportedly uploaded plaintext files to publicly accessible directories, affecting approximately 15000 hostnames across 7500 domains. The campaign spans multiple industries and regions, including infrastructure linked to major global brands such as Asus, FedEx, Fiat, Lindt, Toyota, and Yamaha. Security researchers indicate that the exact attack vector behind these incidents remains unclear, though misconfigurations or other vulnerabilities may be involved.
In a follow up update on March 23, Sansec confirmed active exploitation of the PolyShell flaw starting March 16, with automated scanning increasing shortly after. At least 50 IP addresses have been linked to these scanning activities. Observed attacks involve the use of polyglot files that function as both valid image formats such as GIF or PNG and executable PHP scripts. These files deploy web shells capable of executing arbitrary commands, as well as password protected remote access shells that directly pass instructions to system level functions. The ongoing activity highlights the urgency for Magento users to assess their exposure and strengthen defenses against evolving threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
