Magento Stores Face Risk From PolyShell Flaw Allowing File Uploads

Thousands of Magento stores could be at risk from a new flaw called PolyShell, which lets hackers upload bad files. This is a serious problem for online shops.
By Newsroom | Technology, Business |

A newly identified vulnerability, tracked as 'PolyShell', is enabling unauthenticated attackers to upload arbitrary executable files to Magento and Adobe Commerce platforms, leading to remote code execution (RCE) and potential account takeovers. The exploit targets the REST API's handling of custom options for cart items, allowing malicious PHP code embedded within seemingly legitimate image files, such as GIFs or PNGs, to be uploaded and executed.

The PolyShell vulnerability impacts Magento Open Source and Adobe Commerce versions 2.4.4 through 2.4.8-p4, and even earlier versions may be susceptible to related issues like cross-site scripting (XSS).

PolyShell flaw exposes Magento and Adobe Commerce to file upload attacks - 1

  • Attackers exploit the REST API's capability to accept file uploads as part of custom cart item options.

  • This allows for the upload of 'polyglot' files – files that are valid image formats but also contain executable code.

  • The uploaded files are typically placed in specific directories within the pub/media/custom_options/quote/ path.

  • Once executed, these files can act as backdoors, enabling attackers to run arbitrary commands and gain control of the e-commerce store.

Attackers Deploy Secondary Backdoors Post-Exploitation

Following initial exploitation via PolyShell, attackers have been observed deploying a secondary backdoor, commonly named accesson.php. This backdoor uses browser localStorage for persistence and loads external malware payloads from domains like lanhd6549tdhse.top. Observed malicious filenames also include index.php, json-shell.php, bypass.phtml, and various obfuscated variations attempting to evade detection.

Read More: AI May Lower Value of University Degrees for Jobs in 2025

  • Attackers create subdirectories, often named assets/images/, within various top-level directories they gain write access to.

  • Malicious scripts are then planted in these locations.

  • Some attackers use Unicode obfuscation, such as \u0062\u0079\u0070\u0061\u0073\u0073.\u0070\u0068\u0070, to disguise filenames.

Mitigation and Patching Status Remain Unresolved for Production

While Adobe has acknowledged the vulnerability and addressed it in the pre-release version 2.4.9 of its commerce platform (as part of APSB25-94), no isolated patches are currently available for stable, production versions. This leaves a significant number of operational stores exposed.

PolyShell flaw exposes Magento and Adobe Commerce to file upload attacks - 2

  • E-commerce platforms, particularly those running Magento, are frequent targets for cyber threat actors.

  • Custom configurations and setups can exacerbate the risk by leaving upload directories unprotected.

  • Organizations are advised to implement immediate mitigation measures.

Security firms and researchers suggest several immediate steps to reduce exposure:

  • Web Application Firewall (WAF) Updates: Ensure WAF rules are updated to detect and block suspicious REST API POST requests involving "custom options."

  • Directory Access Restriction: Block direct access to specific upload directories. For Nginx, this might involve:

    location /pub/media/custom_options/ {    deny all;}

    For Apache, a .htaccess file within the relevant directory containing Deny from all can be used.

  • System Scanning: Employ specialized backend scanners, such as Sansec's eComscan, to detect files with hidden PHP code disguised as images already present on servers.

  • Configuration Review: Assess custom API configurations and third-party extensions that interact with the REST API for potential elevated risks.

Background on PolyShell

The 'PolyShell' vulnerability stems from how Magento's REST API handles file uploads within the custom_options section of cart items. Researchers have demonstrated that by crafting specific polyglot files and exploiting the API's processing logic, attackers can bypass file type restrictions and upload executable scripts. The ease of exploitation and the potential for widespread impact on e-commerce operations have led to its classification as a critical zero-day threat. The affected platforms are widely used in the e-commerce sector, with reports indicating thousands of Magento websites could be at risk.

Read More: BRP 2026 Earnings Drop by 70% After Selling Boat Business

Frequently Asked Questions

Q: What is the PolyShell vulnerability affecting Magento and Adobe Commerce?
The PolyShell vulnerability allows attackers to upload harmful files, like PHP code hidden in images, to Magento and Adobe Commerce stores. This can let them take control of the store.
Q: Which versions of Magento and Adobe Commerce are affected by PolyShell?
Versions 2.4.4 through 2.4.8-p4 of Magento Open Source and Adobe Commerce are affected. Older versions might also have similar problems.
Q: How do attackers use the PolyShell vulnerability?
Attackers trick the store's system into accepting special files that look like images but contain harmful code. They upload these files using the store's order system, which can then run the code.
Q: What happens after attackers exploit the PolyShell flaw?
After uploading harmful files, attackers often install other hidden programs called backdoors. These backdoors help them keep control and steal information or cause more damage.
Q: Is there a fix available for the PolyShell vulnerability on live stores?
Adobe has fixed this in a new version (2.4.9), but there is no quick fix available for stores that are currently running. Businesses need to use other safety steps to protect themselves.
Q: What steps can businesses take to protect their Magento or Adobe Commerce stores from PolyShell?
Businesses should update their security software (WAF), block access to upload folders, scan their systems for hidden harmful files, and check their system settings and extra programs for risks.