Unauthenticated Remote Code Execution Vulnerability “PolyShell” Threatens Magento E‑Commerce Platforms
What Happened — A newly disclosed flaw, dubbed PolyShell, lets an attacker upload a crafted polyglot file via Magento’s REST API and achieve unauthenticated remote code execution or account takeover on any Magento Open Source or Adobe Commerce 2.x installation. The vulnerability stems from unsafe handling of file‑upload custom options that are written to pub/media/custom_options/.
Why It Matters for TPRM —
- Critical RCE in a widely‑deployed e‑commerce stack can cascade to downstream partners, payment processors, and logistics providers.
- Exploit code is already circulating; automated attacks are expected to follow the release of the fix.
- Patch availability is limited to an alpha release, leaving production sites exposed for an indeterminate period.
Who Is Affected — Retail & e‑commerce merchants, SaaS providers hosting Magento stores, third‑party hosting/MSP services, and any downstream supply‑chain entities that process orders or payments through compromised sites.
Recommended Actions —
- Immediately block public access to
pub/media/custom_options/via web‑server rules (nginx/Apache). - Deploy the Adobe‑provided sample configuration or equivalent hardening controls.
- Conduct a forensic scan for uploaded shells or malicious payloads on all Magento instances.
- Prioritize patching to the alpha 2.4.9 release or apply temporary mitigations until a production patch is issued.
Technical Notes — The flaw is triggered by a base64‑encoded file payload submitted as a “file” custom option in the cart API. Depending on server configuration, the payload can execute as a script (RCE) or run stored XSS for account takeover. No CVE number has been assigned yet; the issue is classified as a zero‑day exploit. Source: BleepingComputer