PolyShell flaw in Magento enables unauthenticated file uploads and RCE
A critical Magento vulnerability dubbed PolyShell allows unauthenticated attackers to upload arbitrary files through the platform's REST API by disguising malicious payloads as image uploads in cart item custom options. The issue affects all stable versions of Magento Open Source and Adobe Commerce, and stems from Magento writing base64-encoded file data to a server-accessible upload directory, creating a path to compromise without prior authentication.
Depending on web server configuration, successful exploitation can lead to remote code execution or account takeover through stored cross-site scripting. Adobe addressed the flaw in the 2.4.9 pre-release branch under APSB25-94, but no standalone production patch is available, leaving current deployments exposed. Researchers at Sansec said exploit methods are already circulating and warned that automated attacks are likely, urging administrators to restrict access to the affected upload directory, verify web server protections, and scan stores for web shells or other malware.
Timeline
Mar 25, 2026
Sansec says PolyShell attacks hit 56.7% of vulnerable stores
By 2026-03-25, Sansec reported that PolyShell exploitation had escalated to impact 56.7% of vulnerable Magento and Adobe Commerce stores. The researchers also observed some attacks deploying a new payment card skimmer that used WebRTC and DTLS-encrypted UDP to evade common web security controls, with one detected victim described as a major car maker's e-commerce site.
Mar 20, 2026
Researchers warn PolyShell exploit methods are circulating
Security reporting said exploit techniques for PolyShell were already circulating, raising the likelihood of imminent automated attacks against exposed Magento stores. At the time of reporting, there was no evidence of active exploitation.
Mar 20, 2026
Sansec discloses PolyShell affecting Magento production versions
Sansec publicly disclosed a critical Magento REST API vulnerability dubbed PolyShell that affects all stable Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2. The flaw allows unauthenticated arbitrary file uploads disguised as images and can lead to remote code execution or account takeover depending on server configuration.
Mar 20, 2026
Adobe fixes PolyShell in Magento 2.4.9 alpha branch
Adobe addressed the PolyShell file-upload vulnerability in the 2.4.9 pre-release branch via APSB25-94. The fix was not available as a standalone patch for current production Magento Open Source and Adobe Commerce versions.
Mar 19, 2026
Sansec observes active PolyShell exploitation and mass scanning
Sansec reported that PolyShell was being actively exploited against Magento and Adobe Commerce stores, with mass automated scanning starting on 2026-03-19. The activity involved more than 50 IP addresses targeting 23% of protected stores, marking a shift from circulating exploit methods to observed real-world attacks.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Affected Products
Sources
2 more from sources like scworld and the hacker news
Related Stories
Critical Magento SessionReaper Vulnerability (CVE-2025-54236) Enables Session Hijacking and Remote Code Execution
A critical vulnerability in the Magento ecommerce platform, identified as CVE-2025-54236 and dubbed 'SessionReaper,' has been actively exploited in the wild. The flaw allows attackers to hijack user sessions and achieve unauthenticated remote code execution (RCE) on affected Magento installations. Security researchers observed a surge in exploitation attempts following the public release of a proof-of-concept (PoC) exploit, with attackers deploying web shells and conducting reconnaissance using classic PHP probes. Adobe released an emergency patch for the vulnerability, and organizations are urged to apply it immediately to mitigate risk. Magento's widespread use and history of critical vulnerabilities make this flaw particularly attractive to threat actors. Exploitation attempts have targeted over 130 hosts from multiple IP addresses within 48 hours of the PoC's publication. Web application firewalls, such as Akamai's Adaptive Security Engine, have been effective in mitigating some exploit attempts by default. The vulnerability's critical nature and active exploitation highlight the urgent need for patching and enhanced monitoring of Magento deployments.
1 months ago
Active Exploitation of SessionReaper Vulnerability in Adobe Magento
Hackers have begun actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce (Magento) platforms, with security firm Sansec detecting and blocking hundreds of real-world attack attempts. The flaw, which allows attackers to take control of account sessions via the Commerce REST API, remains unpatched in approximately 62% of Magento stores, leaving thousands of e-commerce sites exposed to remote code execution and account takeover attacks. Technical analyses and proof-of-concept exploit code have been published, further increasing the risk of mass exploitation. Adobe issued an emergency patch for SessionReaper six weeks prior to the observed attacks, but patch adoption has been slow. Attackers are leveraging PHP webshells and probes to exploit the vulnerability, with most attacks originating from a handful of IP addresses. Security experts warn that the public availability of exploit details and the high impact of the flaw make rapid patching and the activation of web application firewalls critical for all affected organizations.
1 months agoMass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against **Magento** e-commerce deployments by abusing **CVE-2025-54236** (aka **SessionReaper**), an authentication/session management flaw that allows attackers to bypass login controls by **reusing improperly invalidated session tokens**. Reporting based on an **Oasis Security** investigation described large-scale scanning that identified **1,000+ exposed/vulnerable Magento Commerce APIs** and confirmed compromises of **200+ websites** (with one count citing **216 victim sites**), indicating broad weaponization by multiple actors across regions. After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve **root-level control** of affected Linux servers, enabling follow-on actions such as deploying **web shells** for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on **eSkimming/Magecart** activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of **550** previously compromised sites found **18%** still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
1 months ago