A critical flaw in Magento Open Source and Adobe Commerce v2 — dubbed PolyShell — is being exploited at scale, with attacks observed against more than half of all vulnerable stores worldwide.
What Is PolyShell?
- Root cause: Magento’s REST API accepts file uploads as part of custom cart options.
- Attack vector: Polyglot files can bypass validation, enabling remote code execution (RCE) or stored cross-site scripting (XSS) if the web server configuration allows it.
- Impact: Account takeover, payment card theft, and full compromise of e-commerce infrastructure.
Exploitation Timeline
- March 10, 2026: Adobe releases a fix in v2.4.9-beta1.
- March 19, 2026: Mass exploitation begins, just two days after public disclosure.
- March 25, 2026: Sansec reports PolyShell attacks on 56.7% of vulnerable stores.
Novel WebRTC Skimmer
Some PolyShell attacks deploy a WebRTC-based payment card skimmer:
- Uses DTLS-encrypted UDP instead of HTTP, evading strict CSP controls.
- Employs forged SDP exchange to connect to attacker C2 servers.
- Executes second-stage payloads via script nonce reuse or unsafe-eval injection.
- Delays execution with
requestIdleCallbackto reduce detection.
Sansec detected this skimmer on the e-commerce site of a $100B car manufacturer, which did not respond to notifications.
Indicators of Compromise (IoCs)
Defenders should watch for:
- Suspicious file uploads via Magento REST API.
- WebRTC traffic anomalies (
connect-srcbypass attempts). - Obfuscated JavaScript loaders using forged SDP exchanges.
- Hardcoded C2 endpoints in skimmer scripts.
Final Thought
PolyShell is a reminder that e-commerce platforms remain prime targets for attackers. With exploitation already widespread, organizations must:
- Patch to v2.4.9-beta1 or later.
- Monitor for WebRTC traffic anomalies.
- Audit server configurations to prevent polyglot file execution.
The combination of mass exploitation and novel skimming techniques makes PolyShell one of the most urgent threats in the commerce sector today.
Leave a Reply