PolyShell attacks target 56% of all vulnerable Magento stores

Cybersecurity researchers have documented widespread exploitation of the critical PolyShell vulnerability affecting Magento Open Source and Adobe Commerce platforms, with threat actors successfully compromising over half of all vulnerable e-commerce installations.

Sansec, a leading e-commerce security firm, reports that malicious actors began systematic exploitation of the PolyShell vulnerability on March 19th, just two days following its public disclosure. Their latest research indicates that attackers have now targeted 56.7% of all vulnerable Magento stores worldwide.

The vulnerability stems from a flaw in Magento's REST API implementation, which improperly handles file uploads within custom cart item options. This design weakness enables attackers to deploy polyglot files capable of achieving remote code execution or facilitating account takeover through stored cross-site scripting (XSS) attacks, contingent on the target web server's configuration parameters.

Adobe addressed the security flaw by releasing version 2.4.9-beta1 on March 10, 2026, though this patch remains limited to beta releases and has not yet been integrated into stable production versions. Despite multiple inquiries, Adobe has not provided BleepingComputer with a timeline for when security updates addressing PolyShell will become available for production environments.

To assist the cybersecurity community, Sansec has published a comprehensive list of IP addresses actively conducting reconnaissance scans for web stores vulnerable to PolyShell exploitation.

Advanced WebRTC payment skimmer deployment

Security analysis reveals that some PolyShell exploitation campaigns deploy a sophisticated payment card skimmer utilizing Web Real-Time Communication (WebRTC) technology for data exfiltration. This innovative approach leverages DTLS-encrypted UDP protocols instead of traditional HTTP communications, significantly improving the malware's ability to circumvent security controls and bypass strict Content Security Policy (CSP) configurations, including restrictive "connect-src" policies.

The malicious payload operates as a lightweight JavaScript loader that establishes connections with hardcoded command-and-control infrastructure through WebRTC channels. The skimmer bypasses conventional signaling protocols by implementing a forged Session Description Protocol (SDP) exchange mechanism.

Once operational, the malware receives secondary payloads through encrypted channels and executes them while evading CSP protections. The skimmer employs multiple evasion techniques, including reusing existing script nonces, exploiting unsafe-eval directives, or implementing direct script injection methods. To minimize detection probability, execution timing is optimized using the 'requestIdleCallback' API.

Sansec's investigation uncovered deployment of this advanced skimmer on the e-commerce platform of a major automotive manufacturer with a market valuation exceeding $100 billion. The affected company has not responded to security notifications regarding the compromise.

Security professionals can access indicators of compromise (IOCs) provided by Sansec researchers to implement defensive measures against these sophisticated attack campaigns.