A critical vulnerability in Magento and Adobe Commerce has created an urgent security situation affecting e-commerce stores worldwide. The vulnerability, identified as APSB25-94 and discovered on March 17, 2026, allows attackers to upload files to vulnerable systems without authentication through an unrestricted file upload flaw in the REST API. This vulnerability has already been exploited in real attacks targeting thousands of stores, with research from Sansec showing that 79.5 percent of vulnerable Magento installations were directly targeted by automated attack campaigns. The scope of active exploitation is severe: over 7,500 domains and 15,000 hostnames have been compromised in documented defacement campaigns that began in late February 2026.
The threat extends across all current and older Magento Open Source and Adobe Commerce versions up to version 2.4.9-alpha2. While a patch was released on May 12, 2026, the fix is only available in Magento 2.4.9. Older supported versions—2.4.8, 2.4.7, and earlier—have not received backported patches, leaving stores running these versions in a vulnerable position with no official security fix available. For web developers and site administrators, this creates an immediate decision point: upgrade to the latest version or implement compensating security controls.
Table of Contents
- What Is the PolyShell Vulnerability and Why Does It Affect Magento Stores?
- The Scale and Scope of Active Exploitation
- Which Magento Versions Are Vulnerable and What’s the Timeline?
- How to Update Your Magento Installation
- Patching Limitations and Workaround Strategies
- Real-World Attack Examples and Their Consequences
- Securing Your Store Beyond the Patch
- Conclusion
What Is the PolyShell Vulnerability and Why Does It Affect Magento Stores?
The PolyShell vulnerability exploits a flaw in Magento’s REST API that fails to properly validate and restrict file uploads. An attacker can send a specially crafted request to the REST API and upload arbitrary files to the web server without providing valid authentication credentials. Once files are uploaded, an attacker can execute code on the server, install web shells for persistent access, steal customer data, modify store content, or inject malware into the checkout process.
This is not a theoretical risk—active exploitation began within days of the vulnerability’s discovery, with mass automated scanning launching on March 23, 2026. The vulnerability affects both Magento Open Source and Adobe Commerce, with no distinction in severity between the two. Every Magento store running version 2.4.9-alpha2 or earlier is vulnerable by default unless the system is fully patched or the REST API endpoint is restricted through server configuration. Unlike some vulnerabilities that require an attacker to already have some access or knowledge of your system, this flaw is discoverable through simple API requests and can be exploited by any attacker with internet access to your store’s domain.
The Scale and Scope of Active Exploitation
This is not a vulnerability announced in isolation with no real-world impact. Documented attack campaigns show that the threat is immediate and widespread. According to Netcraft, a large-scale Magento defacement campaign beginning February 27, 2026 compromised 7,500 domains across 15,000 hostnames. These were not isolated incidents or proof-of-concept exploits—they represent actual, compromised e-commerce stores, government services, and organizations across multiple countries.
The attack campaigns defaced storefronts, modified product pages, and in many cases installed persistent malware for long-term access. Sansec’s research specifically shows that 79.5 percent of vulnerable Magento stores were scanned and targeted by automated attacks. This means if you operate a Magento store running a vulnerable version and it was publicly accessible during the exploitation period (March 23 onwards), your site was almost certainly probed for this vulnerability. The difference between being probed and being successfully compromised depends on your server’s configuration and whether other security gaps exist, but the baseline risk is very high.
Which Magento Versions Are Vulnerable and What’s the Timeline?
All Magento Open Source and Adobe Commerce versions up to and including 2.4.9-alpha2 are affected. This includes widely deployed versions like 2.4.8, 2.4.7, 2.4.6, and older versions still running on many stores. The vulnerability was discovered on March 17, 2026, and evidence of active exploitation appeared within days. Mass automated scanning began on March 23, 2026, shortly after technical details became available in the security community.
By the time many site administrators became aware of the vulnerability, their systems may have already been targeted. The patch was released on May 12, 2026, in Magento version 2.4.9. However, Adobe and the Magento project made a critical decision not to backport the security fix to older supported versions like 2.4.8, 2.4.7, or earlier. This means if your store is running Magento 2.4.8 or older, there is no official security patch available directly from Adobe or the Magento project. Upgrading to 2.4.9 is the only official path to receive the fix.
How to Update Your Magento Installation
The most direct solution is to upgrade to Magento version 2.4.9 or later. If your store is running 2.4.8 or earlier, plan and execute an upgrade as soon as feasible. The upgrade process depends on your hosting environment, customizations, and extensions. For many stores, this can be accomplished in a few hours, but testing and preparation may take longer. Work with your hosting provider or Magento developer to ensure the upgrade path is smooth, all extensions are compatible with the new version, and your database is backed up before beginning.
Before upgrading, verify that all third-party extensions are compatible with Magento 2.4.9. Some extensions may require updates themselves to work with the latest version. Test the upgrade in a staging environment that mirrors your production setup. This allows you to identify and resolve compatibility issues before they affect your live store. The process typically involves pulling the latest code, running database migrations, clearing caches, and redeploying static assets.
Patching Limitations and Workaround Strategies
A significant limitation exists for stores that cannot immediately upgrade: there is no official security patch for versions 2.4.8 and earlier. This puts administrators in a difficult position if upgrading is not immediately feasible due to custom development, extension incompatibilities, or business constraints. In these cases, temporary compensating controls are necessary while planning a longer-term upgrade. One effective interim measure is to restrict access to the REST API at the web server level using firewall rules, Web Application Firewall (WAF) rules, or .htaccess configuration.
If the REST API is not actively used by your frontend or third-party integrations, disabling or restricting API endpoints can prevent exploitation while you prepare for an upgrade. Another option is to implement strict input validation and rate limiting on API endpoints to make exploitation more difficult. However, these are temporary measures only. They add time for planning a proper upgrade but do not eliminate the underlying vulnerability. Any workaround should be paired with a concrete upgrade timeline.
Real-World Attack Examples and Their Consequences
The Magento defacement campaigns documented by Netcraft provide concrete examples of what successful exploitation looks like in practice. Attackers injected malicious content into website homepages, product pages, and checkout flows. In some cases, they added payment card skimmers designed to steal customer credit card information during checkout. Others planted web shells that gave them persistent administrative access to the server, allowing them to make changes to the site long after the initial breach.
For e-commerce stores, this means potential data breaches affecting customer information, loss of trust, legal liability, and expensive remediation. One documented target included a global brand’s e-commerce platform, where attackers modified product pages and injected JavaScript into the checkout process. Another case involved a government service portal running Magento. The consequences extended beyond the immediate compromise—customers reported fraudulent charges after checkout information was captured, and the affected organizations had to notify customers of the breach, coordinate with payment processors, and undergo forensic investigation to determine the scope of data exposure.
Securing Your Store Beyond the Patch
Applying the May 2026 patch is essential but is only one layer of a comprehensive security strategy. Once you have upgraded to Magento 2.4.9, implement additional hardening measures. Regularly update all extensions and themes, as outdated components are a common attack vector. Remove or disable any extensions that are no longer actively maintained or whose developers no longer support them.
Configure your hosting environment with a Web Application Firewall to detect and block common e-commerce attack patterns. Looking forward, this vulnerability underscores the importance of staying current with Magento updates and having a clear upgrade process in place. As Magento nears version 2.5.0 and beyond, administrators should plan for regular upgrade cycles rather than waiting years between major version jumps. The longer the gap between your running version and the latest release, the greater the risk that discovered vulnerabilities will go unpatched. Consider adopting a schedule of upgrading within three to six months of a major release, with security patches applied immediately upon release.
Conclusion
The PolyShell vulnerability (APSB25-94) represents a critical, actively exploited security flaw affecting all Magento and Adobe Commerce stores running versions prior to 2.4.9. The evidence is clear: thousands of stores have already been compromised in documented attack campaigns, and 79.5 percent of vulnerable installations were targeted by automated attacks. The patch is available in Magento 2.4.9 as of May 12, 2026, but older supported versions have not received backports, making an upgrade the only official path to security. If your store runs Magento 2.4.8 or earlier, make upgrading to 2.4.9 an immediate priority.
Coordinate with your development and hosting teams, test thoroughly in a staging environment, and execute the upgrade as soon as feasible. For stores where an immediate upgrade is not possible, implement temporary controls on the REST API while planning your upgrade timeline. The cost and disruption of an upgrade today are far outweighed by the risk of data breach, regulatory liability, and customer harm if your store is compromised. Every day a vulnerable version remains in production increases the likelihood of successful exploitation.
