The PolyShell Threat: A Critical Zero-Day Alert for Magento & Adobe Commerce

ByDev Antoni

A new critical vulnerability, dubbed PolyShell, has sent shockwaves through the e-commerce community. Disclosed in March 2026, this zero-day exploit allows unauthenticated Remote Code Execution (RCE), giving attackers the keys to your storefront without needing a single login credential.

What is PolyShell?

The vulnerability (tracked under APSB25-94) targets the Magento REST API. It exploits the Custom Options feature—specifically when a product allows a customer to upload a file.

The “Poly” in PolyShell refers to polyglot files: malicious PHP scripts disguised as harmless images (like JPEGs). Because Magento’s API incorrectly validates these uploads, it writes them directly to the server at /pub/media/custom_options/quote/, where they can be executed to take over the entire site.

Are You at Risk?

If you are running Magento Open Source or Adobe Commerce versions 2.4.4 through 2.4.8-p4, you are vulnerable.

How to check:

  1. Version Check: Any version lower than the 2.4.9 pre-release branch is currently exposed.
  2. Execution Test: Try to run a simple script in the uploads folder. If you can access ://yourstore.com and it executes, your server configuration is wide open to this attack.

The Current Patch Gap

As of late March 2026, Adobe has integrated a fix into the 2.4.9-alpha/beta branches. However, there is currently no standalone patch for the stable 2.4.7 or 2.4.8 versions. This means merchants must take manual action to stay safe.

Immediate Mitigation Steps

Do not wait for a formal patch. Follow these steps immediately to “virtually patch” your store:

  1. Block Directory Access
    • For Nginx: location /pub/media/custom_options/ { deny all; }
    • For Apache: Ensure a .htaccess file in that directory contains: Deny from all
  2. Update Your WAF
    If you use a Web Application Firewall (like Cloudflare or Sansec Shield), ensure your rules are updated to block suspicious REST API POST requests involving “custom options.”
  3. Scan for Compromise
    Use a specialized backend scanner like Sansec eComscan to check for “image” files that contain hidden PHP code already sitting on your server.

The Bottom Line

PolyShell is one of the most dangerous Magento exploits in recent years because it requires no user interaction. Securing your media directories today is the difference between a normal business day and a total data breach.

If you’re concerned about PolyShell or struggling with patch gaps, Horeb eCommerce provides expert remediation, compliance, and proactive monitoring to keep your storefront safe.

Don’t wait until attackers strike—reach out to Horeb today for a tailored security plan that ensures your Magento or Adobe Commerce store remains protected.

Similar Posts