Executive Summary
In March 2026, attackers began exploiting the 'PolyShell' vulnerability in Magento Open Source and Adobe Commerce installations, affecting over half of all vulnerable stores. The flaw resides in Magento's REST API, which improperly handles file uploads, allowing attackers to execute remote code or perform account takeovers via stored cross-site scripting (XSS). Adobe released a fix in version 2.4.9-beta1 on March 10, 2026, but it has not yet reached the stable branch.
This incident underscores the critical importance of timely patch management and the need for robust security configurations to prevent exploitation of known vulnerabilities. The rapid exploitation following public disclosure highlights the urgency for organizations to stay vigilant and proactive in their cybersecurity practices.
Why This Matters Now
The rapid exploitation of the PolyShell vulnerability demonstrates the increasing speed at which attackers leverage disclosed vulnerabilities. Organizations must prioritize immediate patching and enhance monitoring to mitigate such threats effectively.
Attack Path Analysis
Attackers exploited the PolyShell vulnerability in Magento's REST API to upload malicious polyglot files, achieving remote code execution. They escalated privileges by executing arbitrary PHP code, gaining administrative control over the server. Utilizing this access, they moved laterally within the network to identify and compromise additional systems. A WebRTC-based skimmer was deployed to establish an encrypted command and control channel, evading traditional security measures. Sensitive customer data, including payment information, was exfiltrated through this covert channel. The attack culminated in significant data breaches, leading to financial losses and reputational damage for the affected organizations.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the PolyShell vulnerability in Magento's REST API to upload malicious polyglot files, achieving remote code execution.
Related CVEs
CVE-2026-XXXXX
CVSS 9.8An improper input validation vulnerability in Magento's REST API allows unauthenticated attackers to upload polyglot files, leading to remote code execution or account takeover.
Affected Products:
Adobe Magento Open Source – 2.4.8 and earlier
Adobe Adobe Commerce – 2.4.8 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: PowerShell
Application Layer Protocol: Web Protocols
Server Software Component: Web Shell
Input Capture: Keylogging
Indicator Removal: File Deletion
Archive Collected Data: Archive via Utility
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
E-commerce platforms face critical PolyShell vulnerability exploitation with payment card skimming attacks targeting customer financial data through WebRTC exfiltration channels.
Automotive
Automotive e-commerce sites targeted by PolyShell attacks with WebRTC skimmers detected on $100 billion car manufacturer website compromising customer payment information.
Fashion/Apparel
Fashion retailers using Magento platforms vulnerable to remote code execution and payment skimming attacks through REST API file upload exploitation mechanisms.
Consumer Electronics
Electronics retailers face elevated risk from mass PolyShell exploitation targeting 56% of vulnerable Magento stores with advanced CSP-bypassing payment skimmers.
Sources
- PolyShell attacks target 56% of all vulnerable Magento storeshttps://www.bleepingcomputer.com/news/security/polyshell-attacks-target-56-percent-of-all-vulnerable-magento-stores/Verified
- WebRTC skimmerhttps://sansec.io/research/webrtc-skimmerVerified
- Critical Magento PolyShell Vulnerability Explained: How to Protect Your E-Store from RCE Attackshttps://www.youtube.com/watch?v=UmSIzto38WMVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute arbitrary code on the server may have been constrained, reducing the likelihood of successful exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been limited, reducing the scope of administrative control they could achieve.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network may have been constrained, reducing the number of systems they could compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish covert command and control channels may have been limited, reducing their capacity to manage compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing the volume of data they could extract.
The overall impact of the attack may have been reduced, limiting financial losses and reputational damage.
Impact at a Glance
Affected Business Functions
- E-commerce Transactions
- Customer Account Management
- Payment Processing
Estimated downtime: 7 days
Estimated loss: $500,000
Customer PII and payment card information
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the attack surface.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate known vulnerabilities and reduce the risk of exploitation.
