A serious security flaw has been identified in Magento that allows unauthenticated attackers to upload malicious files, execute remote code, and potentially take over user accounts. This issue, referred to as PolyShell, has been analyzed by the security firm Sansec.
The vulnerability affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2. According to researchers, the weakness lies in the REST API, where file uploads are handled as part of product custom options in the shopping cart system.
How the Vulnerability Works
When a product includes a file-type option, Magento processes a base64-encoded file, along with metadata like filename and MIME type. This file is then stored in the server directory:
pub/media/custom_options/quote/
If the server is misconfigured, attackers can upload malicious scripts disguised as images or harmless files. This can lead to:
- Remote Code Execution (RCE)
- Account takeover
- Stored Cross-Site Scripting (XSS)
The flaw becomes especially dangerous because it requires no authentication, making exploitation easier for attackers.
Current Status and Risk
Although there is no confirmed active exploitation in the wild, similar vulnerabilities are often targeted quickly after disclosure. Adobe has addressed the issue in a pre-release version, but a fully isolated patch for stable versions is not yet widely available.
Real-World Threat Context
Security experts have also observed widespread attacks against Magento-based websites, including defacement campaigns affecting thousands of domains globally. These incidents highlight how quickly attackers can take advantage of weak configurations and unpatched systems.
(The story was updated after publication to include a response from Netcraft.)
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
