PolyShell Vulnerability Exploited in 56% of Vulnerable Magento Stores, Enabling RCE and Payment Skimming
What Happened — Attackers are mass‑exploiting the critical “PolyShell” flaw in Magento Open Source/Adobe Commerce 2, targeting more than half of all vulnerable storefronts. The vulnerability resides in the REST API’s file‑upload endpoint, allowing polyglot payloads to achieve remote code execution or stored XSS, and is being leveraged to deliver a WebRTC‑based payment‑card skimmer.
Why It Matters for TPRM —
- Active exploitation of a widely‑used e‑commerce platform creates immediate data‑exfiltration risk for third‑party merchants.
- The WebRTC skimmer bypasses traditional CSP and network controls, evading many existing detection mechanisms.
- Patch availability is limited to a beta release; many vendors remain unpatched, extending the window of exposure.
Who Is Affected — Retail & e‑commerce firms, online marketplaces, and any organization that runs Magento/Open Source or Adobe Commerce for storefronts.
Recommended Actions —
- Prioritize patching to the forthcoming stable 2.4.9 release; apply the beta if operationally acceptable.
- Enforce strict file‑type validation and disable unauthenticated REST API uploads.
- Harden CSP to block
connect-srcto unknown WebRTC endpoints and monitor for anomalous UDP/DTLS traffic. - Deploy WAF rules that detect polyglot file signatures and WebRTC‑related JavaScript loaders.
Technical Notes — The attack vector is a vulnerability exploit in Magento’s REST API (file‑upload for custom cart options). Exploited payloads are polyglot files that achieve RCE or stored XSS. A novel WebRTC skimmer uses DTLS‑encrypted UDP to exfiltrate payment data, evading CSP and traditional HTTP‑based controls. Adobe’s fix is currently in 2.4.9‑beta1 (released Mar 10 2026) and has not yet reached the stable branch. Source: BleepingComputer