Organizations running Magento Open Source or Adobe Commerce should treat the newly active PolyShell threat as a high-priority risk. Security researchers at Sansec reported that automated exploitation ramped up within days of public disclosure, and BleepingComputer reported on March 25 that attacks had already reached a significant share of vulnerable stores. For businesses that rely on online storefronts, this is not just a technical issue — it is a direct revenue, customer trust, and payment-data risk.
What is happening
PolyShell is a critical file-upload issue in Magento’s REST API that can let an unauthenticated attacker upload a malicious file to a store. Depending on server configuration, that can lead to remote code execution, stored cross-site scripting, or account takeover scenarios. Sansec says mass scanning accelerated around March 19 and that a large percentage of vulnerable stores have already been targeted.
The threat is especially concerning because it affects internet-facing e-commerce systems that often process orders, handle customer accounts, and integrate with payment and back-office platforms. Attackers do not need a broad foothold first — they can go directly after exposed stores.
Why businesses should care
- Revenue disruption: A compromised storefront can lead to downtime, abandoned carts, and emergency remediation costs.
- Payment and customer data risk: Researchers have linked some attacks to web skimmer activity designed to steal card data.
- Brand damage: Even a short-lived compromise can undermine customer confidence in online checkout.
- Lateral movement potential: If an attacker lands on the web server, they may pivot into connected business systems.
Key technical signals
According to Sansec, the vulnerable behavior involves Magento REST API endpoints accepting file uploads tied to cart-item custom options without sufficient validation. The researchers also reported active attempts to upload disguised polyglot files and webshells using filenames such as index.php, rce.php, and similar variants.
Sansec further noted that some intrusions are tied to a WebRTC-based payment skimmer, which can make exfiltration harder to detect with conventional web-focused controls.
What to do right now
- Identify exposure immediately. Confirm whether you or any client environments run Magento Open Source or Adobe Commerce.
- Review vendor and researcher guidance. Validate whether affected versions and your web-server configuration leave the upload path exposed.
- Harden the upload directory. Restrict access to
pub/media/custom_options/and verify that PHP execution is blocked there. - Scan for indicators of compromise. Look for unexpected files, especially suspicious PHP or PHTML files in media and upload paths.
- Inspect checkout pages. Watch for unauthorized JavaScript, injected payment skimmers, or unusual outbound connections.
- Prepare emergency patching. Adobe has addressed the issue in a pre-release branch, so production teams should closely monitor for stable fixes and apply them fast once available.
- Segment and monitor. Treat the storefront as a critical edge system and monitor it like any other high-risk internet-facing asset.
Bottom line
PolyShell is the kind of threat that can move from disclosure to widespread abuse very quickly because it targets a public-facing business application with direct financial value. If your organization depends on Magento or Adobe Commerce, assume attackers are already scanning for it. The practical response is simple: verify exposure now, lock down upload paths, hunt for compromise, and be ready to patch as soon as stable vendor fixes are released.
Sources: BleepingComputer report published March 25, 2026, and Sansec research on active PolyShell exploitation and defensive guidance.