20260325-bleepingcomputer.com-eaa36

< Back to index

PolyShell attacks target 56% of all vulnerable Magento stores

Published:

25 March 2026 at 21:40:21

Alert date:

25 March 2026 at 22:02:27

Source:

bleepingcomputer.com

Web Technologies, Zero-Day Vulnerabilities, Ransomware & Malware

PolyShell vulnerability attacks are actively targeting 56% of all vulnerable Magento Open Source and Adobe Commerce installations. The attacks leverage a vulnerability in version 2 of these e-commerce platforms. This represents a significant threat to online retail infrastructure as more than half of vulnerable stores are being targeted. The widespread nature of these attacks indicates an active exploitation campaign. E-commerce platforms are critical business infrastructure making this a high-priority security incident.

Technical details

The PolyShell vulnerability lies in Magento's REST API, which accepts file uploads as part of custom options for cart items, allowing polyglot files to achieve remote code execution or account takeover via stored cross-site scripting (XSS). Mass exploitation started on March 19th. Attackers deploy a novel payment card skimmer that uses Web Real-Time Communication (WebRTC) to exfiltrate data via DTLS-encrypted UDP rather than HTTP, bypassing Content Security Policy controls. The skimmer is a lightweight JavaScript loader that connects to hardcoded C2 servers via WebRTC with forged SDP exchange, receives second-stage payloads, and bypasses CSP by reusing script nonces or falling back to unsafe-eval. Execution is delayed using 'requestIdleCallback' to reduce detection.

Mitigation steps:

Update to Adobe Commerce version 2.4.9-beta1 released on March 10, 2026 (stable version not yet available). Monitor for indicators of compromise provided by Sansec. Check against the list of IP addresses published by Sansec that are targeting scanning for PolyShell-vulnerable web stores.

Affected products:

Magento Open Source version 2
Adobe Commerce version 2