Sansec warns that Magento’s REST API has a critical security flaw that could allow an unauthenticated attacker to upload arbitrary executable files and perform code execution or account takeover.
This vulnerability was codenamed PolyShell by Sansec due to the fact that the attack relies on disguising malicious code as an image. There is no evidence that this shortcoming has been exploited in practice. The unlimited file upload flaw affects all Magento open source and Adobe Commerce versions up to 2.4.9-alpha2.
The Dutch security firm said the issue stems from the fact that Magento’s REST API accepts file uploads as part of the custom options for cart items.
“If the product option is of type ‘file’, Magento processes an embedded file_info object containing the base64-encoded file data, MIME type, and file name.” “The file will be written to pub/media/custom_options/quote/ on the server.”
Depending on the web server configuration, this vulnerability could allow remote code execution via PHP upload or account takeover via stored XSS.
Sansec also noted that Adobe fixed the issue in the 2.4.9 pre-release branch as part of APSB25-94, but no separate patch has been applied to the current product version.
“Adobe provides sample web server configurations that greatly reduce the impact, but most stores use custom configurations from their hosting providers,” it added.
To reduce potential risks, we recommend that e-commerce stores take the following steps:
Restrict access to the upload directory (‘pub/media/custom_options/’). Verify that nginx or Apache rules are preventing access to the directory. Scan your store for web shells, backdoors, and other malware.
“Blocking access does not block uploads, so malicious code can be uploaded even if you are not using a specialized WAF. [Web Application Firewall]” said Sansek.
This development comes after Netcraft alerted us to an ongoing campaign involving the compromise and defacement of thousands of Magento e-commerce sites across multiple sectors and geographies. This activity, which began on February 27, 2026, involves threat actors uploading cleartext files to publicly accessible web directories.
“The attackers deployed defaced txt files to approximately 15,000 hostnames across 7,500 domains, including infrastructure related to well-known global brands, e-commerce platforms, and government services,” said security researcher Gina Chow.
It is currently unclear whether the attack exploits specific Magento vulnerabilities or misconfigurations, and is the work of a single attacker. This campaign impacted the infrastructure of world-renowned brands such as Asus, FedEx, Fiat, Lindt, Toyota, and Yamaha.
Hacker News also reached out to Netcraft to understand if this activity is connected to PolyShell. I will update the article if I receive a response.
Source link
