Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover

Sansec is warning that Magento's REST API has a serious security flaw that could let attackers who aren't logged in upload any executable file and run it, giving them access to the account and code execution This article explores sansec warning magento. . Sansec gave the vulnerability the name "PolyShell" because the attack depends on hiding harmful code in an image.

There is no proof that the flaw has been used in the real world. The issue with unrestricted file uploads affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2. According to the Dutch security company, the issue is that Magento's REST API lets users upload files as part of the custom options for the cart item.

It said, "When a product option has type 'file,' Magento processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename." "On the server, the file is written to pub/media/custom_options/quote/." Depending on how the web server is set up, the flaw could let someone run code on the server from a distance using PHP upload or take over an account using stored XSS.

Sansec also said that Adobe fixed the problem in the 2.4.9 pre-release branch as part of APSB25-94, but there is no separate patch for the current production versions. "Adobe does give a sample web server configuration that would mostly limit the damage, but most stores use a custom configuration from their hosting provider," it said.

To lower any possible risk, e-commerce storefronts should do the following: limit access to the upload directory ("pub/media/custom_options/"). Check to see if nginx or Apache rules stop people from getting to the directory. Look for web shells, backdoors, and other malware in the stores.

"Blocking access doesn't stop uploads, so people can still upload malicious code if you don't have a special WAF [Web Application Firewall]," Sansec said. Netcraft has reported that thousands of Magento e-commerce sites in many different industries and locations are being hacked and defaced as part of an ongoing campaign. The activity, which started on February 27, 2026, involves the threat actor putting plaintext files in web directories that anyone can see.

"Attackers have used defacement txt files on about 15,000 hostnames across 7,500 domains. This includes infrastructure linked to well-known global brands, e-commerce sites, and government services," said security researcher Gina Chow. It's not clear right now if the attacks are taking advantage of a specific Magento flaw or a misconfiguration, and they are all being done by one person.

The campaign has hurt the infrastructure of well-known brands like Asus, FedEx, Fiat, Lindt, Toyota, and Yamaha, to name a few. ZeroOwl has also contacted Netcraft to find out if this activity has anything to do with PolyShell. If we hear back, we will update the story.