Security researchers at Sansec have disclosed a critical vulnerability, dubbed "PolyShell," within the REST API of Magento and Adobe Commerce platforms. The flaw enables unauthenticated attackers to upload arbitrary executable files to vulnerable servers, paving the way for remote code execution (RCE) and complete account takeover. This vulnerability, which resides in the file upload mechanism for product custom options, affects all versions of Magento Open Source and Adobe Commerce up to and including the 2.4.9-alpha2 pre-release. While there is no current evidence of active exploitation, the severity of the bug necessitates immediate attention from administrators of the popular e-commerce platform.
The technical root of the PolyShell vulnerability lies in how Magento's REST API handles product options of the 'file' type. When a product is configured to accept file uploads as a custom option, the API processes an embedded `file_info` object containing base64-encoded file data, a MIME type, and a filename. The system then writes this file to a predictable location on the server: `pub/media/custom_options/quote/`. The critical failure is that this mechanism performs insufficient validation, allowing attackers to disguise malicious scripts—such as PHP web shells—as benign image files by manipulating the MIME type. The impact is twofold: if the server is configured to execute PHP files from this upload directory, it leads directly to RCE. Alternatively, if the uploaded file contains malicious JavaScript, it can facilitate stored cross-site scripting (XSS) attacks, enabling session hijacking and account takeover when an administrator views the file.
Adobe has addressed the vulnerability in the pre-release branch for version 2.4.9 as part of security bulletin APSB25-94. However, a significant problem remains: there is no isolated security patch available for current production versions (2.4.8 and earlier). Sansec notes that while Adobe provides a sample web server configuration—such as rules to block execution in the upload directory—that could mitigate the risk, the vast majority of online stores rely on custom configurations from their hosting providers, which may not implement these restrictions. The firm emphasizes that simply blocking web access to the upload directory does not prevent the uploads themselves; without a specialized Web Application Firewall (WAF) rule, attackers can still deposit malicious payloads onto the server.
In light of the PolyShell threat, Sansec recommends that store administrators take immediate defensive actions. The primary mitigation is to implement strict server-side validation for all file uploads, rejecting any files with executable extensions or mismatched MIME types. Administrators should also review and harden their web server configuration to explicitly deny the execution of scripts (like .php, .phtml) from the `pub/media/custom_options/` directory and its subfolders. This advisory arrives amid a separate, active campaign documented by Netcraft, where threat actors have been compromising and defacing thousands of Magento sites since late February 2026 by uploading plaintext files to web directories. This context underscores the persistent targeting of the Magento ecosystem and the critical need for robust security hygiene, including prompt application of official patches when they become available.
