Magento PolyShell The Zero-Day Threatening Every Magento Store

⚠  CRITICAL SECURITY ALERT — MARCH 2026 Published: March 19, 2026  •  MagentoBrain.com  •  Security Deep-Dive

No isolated production patch exists yet. Every Magento 2 production store is exposed.

1. What is the PolyShell Vulnerability?

PolyShell is a critical zero-day vulnerability discovered and named by eCommerce security firm Sansec on March 17, 2026. It affects nearly all versions of Magento 2 and Adobe Commerce. A critical flaw in Magento’s REST API lets unauthenticated attackers upload executable files to any store.

The name breaks down perfectly: “Poly” refers to a polyglot file — a file that is simultaneously valid in two formats (e.g., a JPEG image and a PHP script at the same time). “Shell” refers to a web shell — a backdoor that gives attackers remote command-line access to your server.

🔴  WHY IT’S CRITICAL

No authentication is required. An attacker with zero knowledge of your admin credentials can exploit this remotely, at any time, against any unpatched Magento 2 store. The vulnerable code has existed since the very first Magento 2 release in 2015.

 

Adobe fixed the issue in the 2.4.9 pre-release branch as part of APSB25-94, but no isolated patch exists for current production versions. This means the entire installed base of production Magento 2 stores is currently exposed.

2. How the Attack Works: Technical Deep-Dive

2.1  The Polyglot File Concept

A polyglot file exploits how different software interprets files. A crafted file can appear to be a valid JPEG image to Magento’s validation code, while simultaneously containing executable PHP code. When the web server later processes a request to that file, it sees a PHP script and executes it — giving the attacker a persistent backdoor.

2.2  The Vulnerable Endpoint

Magento’s REST API accepts file uploads as part of cart item custom options. The flaw lies in how Magento validates the uploaded file — it trusts the MIME type and extension without properly stripping executable capability. The vulnerable path is:

Vulnerable REST endpoint

POST /rest/V1/carts/*/items   { “cartItem”: { “product_option”: { “extension_attributes”: { “custom_options”: [{ “option_value”: { “file_info”: { “base64_encoded_data”: “<POLYGLOT_PAYLOAD>”, “type”: “image/jpeg”, “name”: “shell.php” } } }] } } } }

2.3  Attack Flow

The full attack chain from initial request to web shell execution:

👤 Unauthenticated Attacker

→

🛒 REST API /V1/carts/*/items

→

📄 Polyglot File (JPG + PHP)

→

📂 pub/media/ custom_options/

→

💀 Web Shell Executed

2.4  The Three Threat Levels

Not all stores face the same risk level. The actual impact depends on your server configuration:

Threat Type	Affected Versions / Config	Risk Level
Unrestricted File Upload	All Magento Open Source & Adobe Commerce up to 2.4.9-alpha2	HIGH
Stored XSS	All versions pre-2.3.5 OR stores with custom webserver config	HIGH
Remote Code Execution (RCE)	Stock Nginx 2.0.0-2.2.x | Non-stock Nginx passing all .php to fastcgi | Apache pre-2.3.5 without php_flag engine 0	CRITICAL
Patched & Safe	2.4.9-alpha3 and later (pre-release only — not yet GA)	SAFE

 

⚠  THE DORMANT THREAT

If you migrate your server or change your configuration in the future, a dormant PolyShell file could suddenly be triggered — giving an attacker full control of your site. This is why removing existing malicious files is just as important as blocking new uploads.

2.5  What Attackers Can Do Once Inside

A successfully deployed web shell gives an attacker persistent, server-level access. Real-world consequences include:

• Payment card skimming — injecting JavaScript skimmers to steal checkout data
• Data exfiltration — stealing customer PII, order history, and stored credentials
• Ransomware deployment — encrypting store data and demanding payment
• Botnet use — leveraging your server’s resources for attacks on other targets
• Planting further backdoors that survive future store upgrades

3. Who Is Affected?

PolyShell is present in all current production versions of Magento 2, including 2.4.8-p4. If you are running any production Magento 2 or Adobe Commerce store and have not applied manual server-level mitigations, you should assume you are at least vulnerable to the file upload component of this attack.

ℹ  EXPLOITATION STATUS (AS OF MARCH 19, 2026)

Sansec has not observed active exploitation so far. However, the exploit method is already circulating and automated attacks are expected imminently. This is a narrow window to act before mass scanning begins.

 

History offers a sobering precedent. Past Magento critical disclosures saw stores attacked within hours to days: CosmicSting (2024) — 5 to 30 stores hacked per hour at peak. SessionReaper (2025) — attacks began within six weeks. PolyShell has a lower barrier — it requires zero authentication.

4. Vulnerability Timeline

MAGENTO 2.0.0 — 2015	Vulnerability Introduced The vulnerable file upload handling code ships in the very first Magento 2 release, sitting dormant for over a decade.
2.4.9 PRE-RELEASE — EARLY 2026	Adobe Quietly Patches Adobe addresses the flaw in 2.4.9-alpha3+ as part of security bulletin APSB25-94, but issues no isolated backport patch for production versions.
MARCH 17, 2026	Sansec Publishes PolyShell Disclosure Sansec publicly names and documents PolyShell, alerts the community, and begins WAF protection for Shield subscribers.
MARCH 18–19, 2026	Hosting Providers React Major Magento hosting providers begin deploying server-level mitigations. The community scrambles to assess exposure.
NOW — WINDOW CLOSING FAST	Act Before Automated Attacks Begin Exploit details are circulating. Mass automated attacks are expected imminently. Every unpatched store is a target.

5. How to Protect Your Store Right Now

Since no official backport patch exists for production versions, store owners must take manual action. Here is a prioritised action plan:

Action 1 — Block Access to the Upload Directory

Verify that your web server blocks all access to pub/media/custom_options/. For Nginx, ensure a location block with deny all exists and is not overridden by a \.php$ regex match further down the config.

nginx.conf — Block PHP execution in media directory

# Add inside your server {} block location ~* ^/media/custom_options/.*\.php$ { deny all; } location /media/custom_options/ { deny all; # Ensure NOT overridden by a catch-all \.php$ location }

pub/media/custom_options/.htaccess (Apache)

# Block all PHP execution in this directory php_flag engine off # Also deny direct web access entirely Order deny,allow Deny from all

Action 2 — Deploy a Web Application Firewall (WAF)

A WAF operating at the network level can block exploit attempts before they reach your application. Sansec Shield, Adobe Fastly WAF, and Cloudflare WAF all support Magento-specific rules. Ensure your WAF provider has deployed rules specifically for PolyShell (APSB25-94).

Action 3 — Apply Adobe’s Official Code Commit

You can apply the Adobe commit that introduced the fix directly from the magento/magento2 GitHub repository. The commit addresses the file upload validation flaw at the application level. You may need to adapt it for your exact version, but it should be straightforward for a developer familiar with Magento.

Action 4 — Scan for Existing Compromise

Use a deep-server malware scanner (Sansec eComscan, MageScan, or equivalent) to check for suspicious files already present in pub/media/custom_options/. If PolyShell was exploited before you hardened your server, malicious files may already be present and dormant.

Action 5 — Plan Your Upgrade to Magento 2.4.9

The only complete fix is upgrading to Magento 2.4.9 once it reaches general availability. Begin planning your upgrade now — assess custom extensions for compatibility, allocate development time, and schedule a staging environment test.

⚠  IMPORTANT LIMITATION

Blocking directory access alone does not block the initial file upload — it only prevents execution. You need a WAF or the code-level patch to stop the upload from happening in the first place. Always use multiple layers of defence.

6. How to Test if Your Store is Vulnerable

Run this quick manual test to check whether your store is exposed to the RCE component of PolyShell:

1. Create a test PHP file: Via SSH, run:

echo “<?php echo ‘PolyShell Test’; ?>” > pub/media/custom_options/test.php

2. Access it via browser: Visit: https://yourstore.com/media/custom_options/test.php
3. Interpret the result:

• VULNERABLE (Red): You see ‘PolyShell Test’ — PHP execution is possible. RCE is confirmed. Act immediately.
• SAFER (Green): You get a 403/404 or download prompt — PHP execution is blocked. Patch the upload flaw itself.

4. Clean up: Delete the test file:

rm pub/media/custom_options/test.php

7. Future Trends: What PolyShell Means for Magento Security

PolyShell is not an isolated incident — it is the latest chapter in a pattern of escalating eCommerce platform attacks. Here is what the trajectory looks like and what store owners need to prepare for:

⚡	Automation Is Accelerating Past Magento critical disclosures saw stores hacked within hours of exploit publication. AI-assisted exploit generation is shrinking that window further. Manual patching workflows are no longer fast enough.
🎭	Polyglot & Evasion Attacks Will Grow PolyShell demonstrates attackers moving beyond obvious malicious uploads. Expect more attacks disguising payloads as legitimate content, evading signature-based detection and file-type validation.
🛡	WAF-First Security Will Be Standard The recurring gap between vulnerability disclosure and patch availability is driving a shift toward proactive WAF deployment as a continuous, always-on security layer—not an emergency measure.
🔍	Supply Chain Vulnerabilities Rising Third-party extensions are a growing attack surface. AI-powered audits of popular Packagist extensions have found vulnerabilities ranging from password leaks to full remote code execution.
🤖	AI-Powered Security Scanning Defenders are using AI too. Expect AI-assisted malware detection, automated patch assessment, and real-time anomaly detection to become standard for enterprise Magento deployments.
📋	PCI-DSS 4.0 Compliance Pressure PCI-DSS 4.0 requirements tighten around web skimmer detection and file integrity monitoring. PolyShell-style attacks directly violate these requirements, increasing regulatory exposure for non-compliant stores.

The Magento Attack Lineage

PolyShell joins a growing lineage of Magento’s most dangerous flaws:

• Shoplift (2015) — First major unauthenticated RCE, prompted mass exploitation
• Ambionics SQLi (2019) — Critical SQL injection enabling admin account creation
• TrojanOrder (2022) — Order-based RCE affecting all Magento 2 versions
• CosmicSting (2024) — XML injection leading to server compromise at scale
• PolyShell (2026) — Polyglot file upload enabling persistent web shells

The key takeaway: reactive security is no longer viable. A posture built on patching after disclosure consistently puts you behind attackers. The future belongs to stores with proactive monitoring, automated scanning, and layered defences that buy time even before patches arrive.

8. Final Action Checklist

Your prioritised checklist for protecting your store from PolyShell:

Priority	Action
IMMEDIATE	Block PHP execution and direct web access in pub/media/custom_options/ via your Nginx or Apache configuration
IMMEDIATE	Run the quick RCE vulnerability test: create a test .php file in the upload directory and attempt to access it via browser
THIS WEEK	Deploy a real-time WAF (Sansec Shield, Adobe Fastly WAF, or equivalent) with active PolyShell rules
THIS WEEK	Run a deep malware scan to check whether your store was already compromised before you hardened the server
THIS MONTH	Evaluate and apply Adobe’s code-level patch commit for PolyShell, adapted for your Magento version
THIS QUARTER	Plan and schedule your upgrade to Magento 2.4.9 when GA is released for the definitive fix
ONGOING	Implement continuous security monitoring, third-party extension auditing, and regular penetration testing

 

Need Help Securing Your Magento Store? MagentoBrain specialises in Magento security hardening, patch management, and full security audits. Sources: · Adobe APSB25-94