CP
cyberpings
VulnerabilitiesHIGH

PolyShell Vulnerability - Unauthenticated RCE in Magento Stores

BCBleepingComputer·Reporting by Bill Toulas
📰 3 sources·Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Updated:
🎯

Basically, a new flaw lets hackers run code on Magento stores without permission.

Quick Summary

A new vulnerability called 'PolyShell' threatens Magento e-stores by allowing unauthorized remote code execution. This flaw affects all versions of Magento Open Source and Adobe Commerce. Immediate action is required to secure these platforms from potential attacks.

The Flaw

The newly discovered vulnerability, known as PolyShell, affects all installations of Magento Open Source and Adobe Commerce stable version 2. This flaw allows unauthenticated remote code execution (RCE), meaning attackers can execute commands on the server without needing to log in. The issue stems from how Magento's REST API handles file uploads, particularly when a product option type is set to 'file'. When this occurs, Magento processes an embedded file_info object that includes base64-encoded file data, MIME type, and filename. The problematic file is then written to the server's pub/media/custom_options/ directory.

Sansec, an eCommerce security firm, has raised alarms about this vulnerability, noting that while there are currently no signs of active exploitation, the method for exploiting this flaw is already circulating. They predict that automated attacks could commence soon, putting many Magento stores at risk.

What's at Risk

The PolyShell vulnerability can lead to serious consequences, including account takeover and stored cross-site scripting (XSS) attacks. Sansec's investigation revealed that a significant number of Magento and Adobe Commerce stores expose files in the upload directory, making them vulnerable to exploitation. The flaw is particularly concerning because it can be triggered by simply uploading a specially crafted file that acts as both an image and a script.

Magento stores that do not implement proper security measures could face severe data breaches, potentially compromising sensitive customer information and leading to significant financial losses.

Patch Status

Adobe has acknowledged the issue and released a fix, but it is currently only available in the second alpha release for version 2.4.9. This means that many production versions remain vulnerable, leaving store administrators in a precarious position. Until a stable patch is released for all versions, the risk of exploitation remains high.

Sansec has suggested that Adobe provides a sample web server configuration that could help mitigate the fallout from this vulnerability. However, many stores rely on configurations provided by their hosting providers, which may not include these protective measures.

Immediate Actions

Store administrators are urged to take immediate steps to protect their Magento installations. Here are some recommended actions:

  • Restrict access to the pub/media/custom_options/ directory to prevent unauthorized file uploads.
  • Verify server configurations (nginx or Apache) to ensure they block access to vulnerable directories.
  • Scan for uploaded shells, backdoors, or malware that may already be present on the server.

As the situation evolves, it’s crucial for Magento store owners to stay vigilant and implement these protective measures until a comprehensive patch is available.

🔒 Pro insight: The PolyShell vulnerability highlights the risks of file upload functionalities in e-commerce platforms, necessitating stringent security measures and regular audits.

Original article from

BCBleepingComputer· Bill Toulas
Read Full Article

Also covered by

SCSC Media

Magento stores vulnerable to 'PolyShell' exploit

Read Article
THThe Hacker News

Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover

Read Article

Share

Related Pings

CRITICALVulnerabilities

Fortinet FortiClient EMS - Critical 0-Day Vulnerability Exploited

A critical zero-day vulnerability in FortiClient EMS is actively exploited. Fortinet has released emergency patches and urges immediate action from users.

Cyber Security News·
HIGHVulnerabilities

Video Conferencing Bug - CISA Orders Agencies to Patch

A serious vulnerability in TrueConf video conferencing software is being exploited by Chinese hackers. CISA has mandated a two-week patch deadline for federal agencies. Immediate action is essential to safeguard sensitive data and communications.

The Record·
HIGHVulnerabilities

Post-Deployment Vulnerability Detection - Rethinking Strategies

A new approach to vulnerability detection is needed post-deployment. Many organizations overlook risks from newly disclosed CVEs, leaving systems exposed. Rethinking strategies can enhance security.

OpenSSF Blog·
HIGHVulnerabilities

Mobile Vulnerabilities - Enterprises Struggle with Control

Mobile devices are increasingly vulnerable due to outdated software and hidden threats like Shadow AI. This puts sensitive enterprise data at risk. Organizations must act to secure their mobile environments.

SecurityWeek·
HIGHVulnerabilities

CVE-2026-33691 - OWASP CRS Whitespace Padding Bypass Alert

A new vulnerability in OWASP CRS allows attackers to upload dangerous files by exploiting whitespace in filenames. This affects many web applications, risking severe security breaches. Immediate updates are necessary to protect your systems.

Full Disclosure·
HIGHVulnerabilities

MetInfo CMS Vulnerability - PHP Code Injection Risk

A critical vulnerability in MetInfo CMS could let attackers execute arbitrary PHP code. Versions 7.9, 8.0, and 8.1 are at risk. Stay alert for updates and potential fixes.

Full Disclosure·