A newly disclosed vulnerability dubbed 'PolyShell' affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.

There are no signs of the issue being actively exploited in the wild, but eCommerce security company Sansec warns that "the exploit method is circulating already" and expects automated attacks to start soon.

Adobe has released a fix, but it is only available in the second alpha release for version 2.4.9, leaving production versions vulnerable. Sansec says that Adobe offers  a "sample web server configuration that would largely limit the fallout," but most stores rely on a setup from their hosting provider.

In a report this week, Sansec says that the security problem is rooted in Magento's REST API accepting file uploads as part of the custom options for the cart item.

"When a product option has type 'file', Magento processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename. The file is written to pub/media/custom_options/quote/ on the server," the researchers explain.

Sansec says “PolyShell” is named after its use of a polyglot file that can behave as both an image and a script.

Depending on the web server configuration, the flaw can enable remote code execution (RCE) or account takeover via stored XSS, impacting most of the stores Sansec analyzed.

“Sansec investigated all known Magento and Adobe Commerce stores and found that many stores expose files in the upload directory.”

Until Adobe releases the patch to production versions, store administrators are recommended to take the following actions:

• Restrict access to pub/media/custom_options/
• Verify that nginx or Apache rules actually prevent access there
• Scan stores for uploaded shells, backdoors, or other malware

BleepingComputer has contacted Adobe to ask about when a security update for PolyShell will be made available, but we have not heard back as of publishing.