Magento PolyShell: The New Magento Security Threat Explained

A new critical vulnerability called PolyShell has just been disclosed and named by Sansec, affecting nearly all versions of Magento 2 and Adobe Commerce.

At Meetanshi, we want to ensure our clients and the Magento community are prepared. Here is everything you need to know to protect your store.

What is Magento PolyShell Vulnerability?

The PolyShell flaw allows unauthenticated attackers to upload malicious files to your server via the Magento REST API.

The attackers use “polyglot” files scripts that look like harmless product images to your system.

Once uploaded, these files allow hackers to execute commands on your server, potentially leading to data theft or payment skimming.

Affected Versions

If you migrate your server or change your configuration in the future, a dormant PolyShell file could suddenly be triggered, giving an attacker full control of your site.

How to Secure Your Store Today

Adobe has addressed this in the 2.4.9-beta1 and later pre-releases, but for many stores on production versions, an isolated patch is not yet available. 

We recommend the following:

• Server-Side Lockdown: Explicitly block access to the pub/media/custom_options/ directory in your Nginx or Apache configuration.
• Verify Your Web Server Config: Stock configurations are often safer than custom ones ensure yours isn’t accidentally allowing .php execution in media folders.
• Malware Scanning: Use a deep-server scanner to check if any suspicious files are already sitting in your custom_options folder.

Don’t wait for an attack to happen. Whether you need a security audit, a server hardening session, or a full Magento (Adobe Commerce) upgrade to the latest secure version, our team is ready to help.

Magento 2 Security Patches Installation

Keep your store secure with the latest Magento 2 patches—add them before it’s too late.

Add Now