Hackers Exploiting Magento to Execute Remote Code and Gain Complete Account Access

There is a serious flaw in Magento and Adobe Commerce stores that lets anyone upload files without any restrictions This article explores files restrictions flaw. . This flaw is called "PolyShell."

This flaw lets attackers who aren't logged in run remote code (RCE) and take over accounts completely. Hackers have been using automated attacks on vulnerable e-commerce platforms since mid-March 2026, when there was no official patch available for production environments. The system is vulnerable because it doesn't have three important security checks: There is no validation of option IDs, no type gating for options, and no restriction on file extensions. For Nginx, this means having a location block with a deny all that PHP regex matches can't change.

For Apache servers, it means having strict .htaccess rules. The Sansec Forensics Team tells administrators to take immediate steps to protect themselves until an official patch is made available.

The vulnerable code has been around since the first release of the Magento 2.4.9-alpha3 branch as part of APSB25-94. However, stores that are currently in production are still very exposed. The severity of the vulnerability varies based on the software version and server configuration.

Security teams should actively search their environments for hidden webshells to find compromises and attempts to compromise in real time. It is also a good idea to use a Web Application Firewall (WAF) to stop exploitation attempts in real time and to limit access to the pub/media/custom_options/quote/ directory on Nginx and Apache servers that don't have certain PHP restrictions. The bug affects all versions of Magento's Open Source and Adobe Commerce up to 2.3.5, as well as environments with custom server settings.

It also has an effect on versions 2.0.0 through 2.2.x, specifically on default Nginx settings (for example, versions 2.1.0–2.2).