HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Unauthenticated Remote Code Execution Vulnerability “PolyShell” Threatens Magento E‑Commerce Platforms

A newly disclosed ‘PolyShell’ flaw lets attackers upload malicious files through Magento’s REST API, achieving unauthenticated remote code execution or account takeover on any Magento Open Source or Adobe Commerce 2.x site. With exploit code already circulating and a fix limited to an alpha release, third‑party risk managers must act quickly to mitigate exposure across the e‑commerce supply chain.

LiveThreat™ Intelligence · 📅 March 20, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Unauthenticated Remote Code Execution Vulnerability “PolyShell” Threatens Magento E‑Commerce Platforms

What Happened — A newly disclosed flaw, dubbed PolyShell, lets an attacker upload a crafted polyglot file via Magento’s REST API and achieve unauthenticated remote code execution or account takeover on any Magento Open Source or Adobe Commerce 2.x installation. The vulnerability stems from unsafe handling of file‑upload custom options that are written to pub/media/custom_options/.

Why It Matters for TPRM

  • Critical RCE in a widely‑deployed e‑commerce stack can cascade to downstream partners, payment processors, and logistics providers.
  • Exploit code is already circulating; automated attacks are expected to follow the release of the fix.
  • Patch availability is limited to an alpha release, leaving production sites exposed for an indeterminate period.

Who Is Affected — Retail & e‑commerce merchants, SaaS providers hosting Magento stores, third‑party hosting/MSP services, and any downstream supply‑chain entities that process orders or payments through compromised sites.

Recommended Actions

  • Immediately block public access to pub/media/custom_options/ via web‑server rules (nginx/Apache).
  • Deploy the Adobe‑provided sample configuration or equivalent hardening controls.
  • Conduct a forensic scan for uploaded shells or malicious payloads on all Magento instances.
  • Prioritize patching to the alpha 2.4.9 release or apply temporary mitigations until a production patch is issued.

Technical Notes — The flaw is triggered by a base64‑encoded file payload submitted as a “file” custom option in the cart API. Depending on server configuration, the payload can execute as a script (RCE) or run stored XSS for account takeover. No CVE number has been assigned yet; the issue is classified as a zero‑day exploit. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-polyshell-flaw-allows-unauthenticated-rce-on-magento-e-stores/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →