Critical Magento REST API “PolyShell” Flaw Enables Unauthenticated RCE and Account Takeover
What Happened — Security firm Sansec disclosed a critical vulnerability in Magento’s REST API (codenamed PolyShell) that lets an unauthenticated attacker upload a malicious file disguised as an image, achieve remote code execution, and hijack admin accounts. The flaw affects all Magento installations that expose the vulnerable endpoint. No public exploitation has been observed to date.
Why It Matters for TPRM —
- Attack surface is the public API; any third‑party integration that relies on Magento becomes a potential entry point.
- Successful exploitation grants full control of the e‑commerce environment, exposing customer PII, payment data, and intellectual property.
- Vendors may be unable to patch quickly, creating a supply‑chain risk for downstream merchants.
Who Is Affected — Retail & e‑commerce platforms, online marketplaces, and any organization that uses Magento as its storefront or as a backend for third‑party services.
Recommended Actions —
- Verify whether your organization or any downstream partner runs Magento and confirm the version.
- Apply the vendor‑released patch (or mitigate by disabling the vulnerable REST endpoint) immediately.
- Conduct a focused code‑review of custom extensions that interact with the REST API.
- Update third‑party risk questionnaires to include this specific API exposure.
Technical Notes — The exploit relies on disguising a malicious binary as an image file, bypassing input validation in the REST upload endpoint. No CVE identifier has been assigned yet; the vulnerability is classified as a zero‑day remote code execution (RCE) and account takeover risk. Data at risk includes admin credentials, customer personal data, and transaction records. Source: The Hacker News