Security researchers have disclosed a critical vulnerability in the widely used Magento e-commerce platform that could allow attackers without any login credentials to upload malicious files, execute arbitrary code, and take over administrator accounts. The flaw, discovered in the platform’s REST API, poses a significant threat to online stores globally that have not applied the latest security patches.

The vulnerability was identified and reported by the cybersecurity firm Sansec. The company has assigned the flaw the codename “PolyShell,” a reference to the attack method which involves disguising malicious shell code within an image file. This technique allows the payload to bypass standard security checks.

Technical Details of the PolyShell Exploit

According to the technical advisory, the security weakness resides within a specific endpoint of the Magento REST API. This endpoint, intended for legitimate functions, fails to properly validate user input and file types. An unauthenticated attacker can exploit this by sending a specially crafted HTTP POST request that contains a malicious executable disguised as an image.

Because the system incorrectly processes this file, the attacker can upload it to the server. Once uploaded, the attacker can then trigger the execution of the hidden code. This Remote Code Execution (RCE) provides full control over the affected web server, enabling data theft, site defacement, or the installation of persistent backdoors.

Severity and Potential Impact

The PolyShell vulnerability is considered critical due to the low barrier to entry for attackers; no authentication is required. Successful exploitation leads directly to a complete compromise of the Magento instance. Attackers could steal sensitive customer data, including payment information, inject skimming malware, or seize administrative accounts to maintain long-term access.

Magento, now part of Adobe Commerce, powers a substantial portion of the global e-commerce market, from small businesses to large enterprises. The potential scale of impact is therefore considerable, affecting both merchants and their customers.

Current Status and Mitigation

Sansec stated there is no evidence that this specific vulnerability has been actively exploited in attacks at this time. The discovery was made through proactive security research. The flaw affects specific versions of the Magento 2 platform.

The primary and most urgent mitigation is for store administrators to apply the latest security patches provided by Adobe. The company has addressed the issue in recent updates. System administrators are strongly advised to verify their Magento version and patch immediately if they are running an affected release.

Additional security measures include restricting access to administrative panels, implementing a Web Application Firewall (WAF) with rules tuned for Magento, and conducting regular security audits of all website code and extensions.

Looking Ahead

Security researchers and Adobe are expected to continue monitoring for any signs of exploit attempts in the wild. The disclosure follows a standard coordinated process, giving vendors time to develop and distribute a fix before public details are released. Store owners who have not yet updated their systems are likely the most immediate target for any future malicious campaigns seeking to leverage the PolyShell vulnerability. The broader e-commerce security community will be watching for any related threat actor activity in the coming weeks.

Source: Sansec