A critical security vulnerability has been identified in Magento’s REST API, exposing e-commerce platforms to potential remote code execution and account takeover risks. Discovered by cybersecurity firm Sansec, the flaw – codenamed “PolyShell”- highlights growing concerns around web application security and the increasing sophistication of cyber threats targeting digital commerce ecosystems.
The vulnerability affects all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2. It allows unauthenticated attackers to upload malicious executable files by disguising them as image uploads, exploiting weaknesses in the platform’s file handling mechanism. This type of attack demonstrates how cybercriminals are leveraging advanced evasion techniques to bypass traditional security controls.
At the core of the issue is Magento’s REST API functionality, which permits file uploads through custom product options. When a product includes a file-type option, the system processes an embedded file_info object containing base64-encoded data, MIME type, and filename. These files are then stored in the server directory “pub/media/custom_options/quote/.” If server configurations are not properly secured, attackers can exploit this pathway to execute malicious PHP code or inject scripts that enable account takeover through stored cross-site scripting (XSS).
Cybersecurity experts warn that the impact of this vulnerability depends heavily on server configurations. In environments where file execution is not restricted, attackers could gain full control over affected systems. While Adobe has addressed the issue in its 2.4.9 pre-release branch as part of security advisory APSB25-94, many production environments remain unpatched, increasing exposure to potential exploitation.
To mitigate risk, organizations operating Magento-based storefronts are advised to implement immediate security measures. These include restricting access to the upload directory, enforcing strict web server rules via Apache or Nginx configurations, and conducting comprehensive scans for web shells, backdoors, or other malicious artifacts. Additionally, deploying a Web Application Firewall (WAF) is strongly recommended, as blocking directory access alone does not prevent malicious uploads.
The discovery comes amid a broader wave of cyberattacks targeting Magento environments. Security researchers at Netcraft have reported an ongoing campaign involving the compromise and defacement of thousands of e-commerce websites across multiple industries and regions. Since late February 2026, attackers have reportedly uploaded defacement files across approximately 15,000 hostnames spanning 7,500 domains, impacting infrastructure associated with major global brands.
Although it remains unclear whether the PolyShell vulnerability is directly linked to these attacks, the scale and frequency of incidents underscore the urgent need for enhanced cybersecurity practices in the e-commerce sector. The interconnected nature of modern digital platforms means that even a single vulnerability can have widespread consequences across multiple systems and stakeholders.
As cyber threats continue to evolve, organizations must prioritize proactive security strategies, including regular vulnerability assessments, secure configuration management, and real-time threat monitoring. The PolyShell vulnerability serves as a critical reminder that maintaining robust cybersecurity defenses is essential to protecting both business operations and customer data in today’s digital economy.
Recommended Cyber News :
- Sevii APS Enables Autonomous Cyber Defense at Scale Today
- Pondurance Expands RansomSnare Platform To Strengthen Ransomware Defense
- ForceMemo Hijacks GitHub Accounts, Backdoors Hundreds of Python Repos via Force-Push
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
