Critical PolyShell Vulnerability Exploited in Widespread Attacks Against Magento E-commerce Platforms, Threatening Over Half of Exposed Stores

A newly identified critical vulnerability, dubbed "PolyShell," impacting Magento Open Source and Adobe Commerce installations (version 2), is currently under aggressive exploitation, with threat actors actively targeting a significant majority of susceptible online storefronts. This pervasive campaign underscores the rapid weaponization of newly disclosed flaws, posing substantial risks to e-commerce operations globally.

The initial wave of mass exploitation for the PolyShell vulnerability commenced shortly after its public disclosure, with security researchers observing a rapid proliferation of attacks across the Magento ecosystem. According to analyses by leading e-commerce security firms, within days of the vulnerability becoming public knowledge, over 56% of all identified vulnerable Magento stores had already been subjected to attempted or successful exploitation. This accelerated timeline from disclosure to widespread attack highlights the critical need for immediate defensive measures following the announcement of severe security flaws. The vulnerability itself, a remote code execution (RCE) flaw, presents a direct path for unauthorized access and control over affected e-commerce platforms, enabling a spectrum of malicious activities ranging from data theft to website defacement.

Magento, now an integral part of Adobe Commerce, stands as one of the most widely deployed e-commerce platforms globally. Its robust feature set and scalability make it a preferred choice for businesses of all sizes, from small retailers to large enterprises. However, its popularity also renders it a prime target for cybercriminals. The platform’s complexity, coupled with its extensive use of third-party extensions and customizations, often creates a vast attack surface that requires vigilant maintenance and proactive security management. A critical vulnerability like PolyShell, which can grant unauthenticated remote code execution, represents an existential threat to businesses reliant on these platforms, capable of compromising sensitive customer data, financial information, and the integrity of the entire online operation.

The PolyShell flaw originates within Magento’s REST API, a crucial interface for programmatic interaction with the e-commerce platform. Specifically, the vulnerability resides in the API’s handling of file uploads associated with custom options for cart items. Threat actors can leverage this weakness by uploading specially crafted "polyglot" files. A polyglot file is a file designed to be valid under multiple file formats, allowing it to bypass certain security checks. In this context, such a file can be interpreted by the server in a way that executes malicious code. If the underlying web server configuration permits, this mechanism facilitates remote code execution (RCE), granting attackers arbitrary control over the server. Beyond RCE, the vulnerability can also be exploited to achieve account takeover through stored cross-site scripting (XSS), where malicious scripts are injected into the website and executed in the browsers of legitimate users, potentially leading to credential theft or session hijacking. The specific details of the web server configuration play a pivotal role in the exploitability and severity of the attack, as certain settings may inadvertently enable or restrict the execution of uploaded files.

In response to the identified vulnerability, Adobe released a preliminary fix in version 2.4.9-beta1 of Adobe Commerce on March 10, 2026. However, this patch has not yet been integrated into a stable, production-ready branch, leaving a substantial portion of the active Magento and Adobe Commerce installations without an official, readily deployable security update. The delay in releasing a stable patch for such a critical vulnerability presents a significant challenge for system administrators and security teams, who are forced to either implement potentially unstable beta versions or rely on temporary, unverified mitigation strategies. This gap between vulnerability disclosure and a universally available, stable fix is a common yet persistent problem in software security, creating a window of opportunity that threat actors are quick to exploit. The lack of a definitive timeline from Adobe regarding the availability of a production-ready security update further exacerbates the situation, leaving many organizations in a precarious state of heightened risk.

Security researchers have taken proactive steps to aid defenders by publishing lists of IP addresses identified as actively engaged in scanning for and targeting web stores vulnerable to PolyShell. These indicators of compromise (IoCs) are crucial for organizations to proactively block malicious traffic and enhance their network perimeter defenses. However, relying solely on IP blacklisting is often insufficient, as sophisticated threat actors frequently rotate their infrastructure. A comprehensive defense strategy necessitates a multi-layered approach, including continuous monitoring, endpoint detection and response (EDR) solutions, and robust web application firewalls (WAFs) configured to detect and block known exploit patterns.

A particularly concerning development observed in some of the attacks leveraging PolyShell is the deployment of an advanced payment card skimmer. This novel malware distinguishes itself by utilizing Web Real-Time Communication (WebRTC) to exfiltrate stolen data, representing a significant evolution in credit card skimming techniques. Traditional payment card skimmers typically rely on HTTP or HTTPS to transmit stolen data to command-and-control (C2) servers. However, this new WebRTC-based skimmer circumvents conventional security controls, including stringent Content Security Policy (CSP) directives that restrict outbound connections, especially those configured with connect-src policies.

WebRTC is a collection of open standards that enable real-time communication capabilities, such as video, audio, and data transfer, directly between web browsers and other applications. Critically, WebRTC communication often utilizes Datagram Transport Layer Security (DTLS) over User Datagram Protocol (UDP) for its encrypted data channels, rather than the more commonly monitored Transmission Control Protocol (TCP) and HTTP/HTTPS. This architectural difference provides the skimmer with a stealthy pathway for data exfiltration.

The modus operandi of this WebRTC skimmer is sophisticated. It operates as a lightweight JavaScript loader injected into the compromised e-commerce site. This loader establishes a direct connection to a hardcoded command-and-control (C2) server via WebRTC, bypassing the standard signaling process usually required for WebRTC peer-to-peer connections by embedding a forged Session Description Protocol (SDP) exchange. SDP is used to describe the multimedia sessions for WebRTC, and by forging this exchange, the skimmer can initiate a direct connection without relying on a signaling server that might be monitored.

Once the WebRTC channel is established, the skimmer receives a second-stage payload over this encrypted, out-of-band channel. This payload, containing the core skimming logic, is then executed while attempting to evade detection and CSP restrictions. Common CSP bypass techniques employed include reusing an existing script nonce (a cryptographically strong random value used to prevent injection attacks), falling back to unsafe-eval directives if present in the CSP, or directly injecting scripts into the Document Object Model (DOM). To further reduce its footprint and detection likelihood, the execution of this second-stage payload is strategically delayed using requestIdleCallback, a browser API that schedules tasks to be run during a browser’s idle periods. This tactic ensures that the malicious activity occurs when system resources are less constrained, making it less likely to trigger performance-based security alerts or be noticed by vigilant users.

The efficacy and stealth of this WebRTC skimmer were underscored by its detection on the e-commerce platform of a major automotive manufacturer, a company valued at over $100 billion. Despite notification from security researchers, the affected organization reportedly did not respond, highlighting the persistent challenges in incident response and communication, even for large enterprises. The implications of such a sophisticated skimmer are profound, as it represents a significant escalation in the arms race between cybercriminals and security professionals, demanding a re-evaluation of traditional network and application security monitoring strategies.

To effectively defend against PolyShell attacks and the sophisticated WebRTC skimmer, organizations must adopt a proactive and multi-faceted security posture. Immediate actions include:

• Patching: As soon as a stable patch is released by Adobe, it must be applied without delay. Until then, careful consideration of applying the beta patch or implementing temporary, verified mitigations is crucial.
• Vulnerability Scanning: Regular, comprehensive vulnerability scanning of Magento installations is essential to identify and address weaknesses before they are exploited.
• Content Security Policy (CSP) Hardening: E-commerce sites should implement and rigorously enforce a strict CSP, carefully auditing all directives, especially connect-src, to ensure that only legitimate endpoints are permitted for data transfer. Special attention should be paid to preventing unsafe-eval and limiting script execution to specific nonces.
• Network Monitoring: Enhanced network monitoring capabilities are required to detect unusual traffic patterns, particularly over UDP, which might indicate WebRTC-based exfiltration attempts. Deep Packet Inspection (DPI) and behavioral analytics can be instrumental here.
• Endpoint Detection and Response (EDR): Deploying EDR solutions on web servers can help detect and respond to malicious code execution and file manipulations indicative of RCE exploitation.
• Web Application Firewall (WAF): A well-configured WAF can provide a crucial layer of defense by filtering out malicious requests targeting the REST API and blocking known exploit signatures.
• Security Audits: Regular third-party security audits and penetration testing can help uncover latent vulnerabilities and misconfigurations.
• Incident Response Plan: Organizations must have a robust incident response plan in place, regularly tested and updated, to effectively manage and mitigate the impact of a successful breach.

The ongoing exploitation of the PolyShell vulnerability and the emergence of advanced skimmer techniques like the WebRTC variant serve as a stark reminder of the dynamic and relentless nature of cyber threats targeting e-commerce. The rapid weaponization of newly disclosed vulnerabilities, coupled with the increasing sophistication of attack tools, necessitates a paradigm shift towards continuous security monitoring, proactive threat intelligence integration, and agile incident response capabilities. For businesses operating online, the integrity of their platform and the security of their customer data are paramount, making investment in robust cybersecurity measures not merely a cost, but a critical business imperative. The future of e-commerce security will depend heavily on the ability of organizations to stay ahead of evolving threats, collaborate with security researchers, and prioritize the swift implementation of security updates.